
Congressional 
Research Service 

Informing the legislative debate since 1914 



Cybersecurity and Information Sharing: 
Comparison of House and Senate Bills in the 
114 th Congress 



Eric A. Fischer 

Senior Specialist in Science and Technology 

Stephanie M. Logan 

Research Assistant 

August 5, 2015 



Congressional Research Service 

7-5700 

www.crs.gov 

R44069 



CRS REPORT 

Prepared for Members and 
Committees of Congress — 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Summary 

Effective sharing of information in cybersecurity is generally considered an important tool for 
protecting information systems from unauthorized access. Five bills on such sharing have been 
introduced in the 114 th Congress— H.R. 234, H.R. 1560, H.R. 1731, S. 456, and S. 754, and 
relevant provisions have appeared in other bills. The White House has also submitted a legislative 
proposal and issued an executive order on the topic. 

H.R. 1560, the Protecting Cyber Networks Act (PCNA), and H.R. 1731, the National 
Cybersecurity Protection Advancement Act of 2015 (NCPAA), passed the House the week of 
April 20. The bills were then combined as separate titles in H.R. 1560. In the Senate, S. 754, the 
Cybersecurity Information Sharing Act of 2015 (C1SA), was reported in March and was proposed 
to be considered as an amendment to H.R. 1735, the National Defense Authorization Act 
(NDAA). More than 70 amendments to CISAhave been submitted, a managers amendment has 
been circulated, and a cloture motion was filed on August 3. Presumably, if the Senate passes 
C1SA or another bill on information sharing, any inconsistencies between that bill and the two 
titles of H.R. 1560 could be reconciled during the process for resolving differences between the 
House and Senate bills. 

PCNA, NCPAA, and C1SA have many similarities but also significant differences. All focus on 
information sharing among private entities and between them and the federal government. 
NCPAA would explicitly amend portions of the Homeland Security Act of 2002, and PCNA 
would amend parts of the National Security Act of 1947. C1SA addresses the roles of the 
Department of Homeland Security and the intelligence community but does not explicitly amend 
either act. The bills differ in how they define some terms in common, the roles they provide for 
federal agencies, processes for nonfederal entities to share information with the federal 
government, processes for protecting privacy and civil liberties, uses permitted for shared 
information, and reporting requirements. In general, however, CISA and PCNA are more similar 
to each other than either is to NCPAA, although a number of those differences are provisions with 
no corresponding language in the other bills and potentially could be included in any final 
legislation. 

All the bills would address concerns about barriers to sharing information about cybersecurity 
within and across sectors. Such barriers are considered by many to hinder protection of 
information systems. Private-sector entities often express reluctance to share such information 
because of concerns about legal liability, antitrust violations, regulatory requirements, and 
protection of intellectual property and other proprietary business information. Institutional and 
cultural factors have also been cited — traditional approaches to security tend to emphasize 
secrecy and confidentiality, which would necessarily impede sharing of information. 

All the bills have provisions aimed at facilitating information sharing among private-sector 
entities and providing protections from liability. While reduction or removal of such barriers may 
provide benefits, concerns have been raised about potential adverse impacts, especially on 
privacy and civil liberties, and potential misuse of shared information. The bills address many of 
those concerns. In general, they limit the use of shared information to purposes of cybersecurity 
and law enforcement, and they limit government use, especially for regulatory purposes. All 
include provisions to shield information shared with the federal government from public 
disclosure and to protect privacy and civil liberties with respect to shared information that is not 
needed for cybersecurity purposes. All require reports to Congress on impacts of their provisions. 



Congressional Research Service 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Most observers appear to believe that legislation on information sharing is either necessary or at 
least potentially beneficial — provided that appropriate protections are included — but additional 
factors may be worthy of consideration as the legislative proposals are debated. In particular, 
resistance to information sharing among private -sector entities might not be substantially reduced 
by the actions contemplated in the legislation; and information sharing is only one of many facets 
of cybersecurity that organizations need to address to secure their information systems. 



Congressional Research Service 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Contents 

Background 1 

Current Legislative Proposals 3 

House Consideration of NCPAA and PCNA 3 

Senate Consideration of C1SA 3 

Other Legislative Proposals in the 1 14 th Congress 4 

Overview of the Legislative Proposals 4 

Selected Issues 6 

Side-by-Side Comparison of NCPAA, PCNA, and C1SA 12 

Managers Amendment to CISA 12 

Glossary of Abbreviations in the Table 13 

Notes on the Table 14 

Tables 

Table 1. Side-by-Side Comparison of the Two Titles of H.R. 1560 as Passed by the 
House— PCNA (Title 1) and NCPAA (Title II)— and S. 754 (CISA) 15 

Contacts 

Author Contact Information 56 



Congressional Research Service 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



T his report compares two House bills and one Senate bill that address information sharing 
and related activities in cybersecurity. It also discusses some of the issues that those and 
other legislative proposals address. The three bills compared are 

• the Protecting Cyber Networks Act (PCNA, H.R. 1560 as passed by the House), 

• the N ational Cybersecurity Protection Advancement Act of 20 1 5 (NCPAA, H.R. 

1731 as passed by the House), and 

• the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754, as reported in 
the Senate). 

All three bills focus on information sharing among private entities and between them and the 
federal government. They address the structure of the information-sharing process, issues 
associated with privacy and civil liberties, and liability risks for private-sector sharing, and they 
also address some other topics in common. In addition to other provisions, NCPAA would 
explicitly amend portions of the Homeland Security Act of 2002 (6 U.S.C. §101 et seq.), and 
PCNA would amend parts of the National Security Act of 1947 (50 U.S.C. §3021 et seq.). CISA 
has many similarities to a bill with a similar name introduced in the 1 13 th Congress and shares 
many provisions with PCNA, although there are also significant differences between them. 

This report consists of an overview of the three bills, other legislative proposals, and an executive 
order on information sharing, along with selected associated issues, followed by a side-by-side 
analysis of NCPAA, PCNA, and CISA. 1 For information on economic aspects of information 
sharing, see CRS Report R43821, Legislation to Facilitate Cybersecurity Information Sharing: 
Economic Analysis, by N. Eric Weiss. For discussion of legal issues, see CRS Report R43941, 
Cybersecurity and Information Sharing: Legal Challenges and Solutions, by Andrew Nolan. For 
an overview of cybersecurity issues, see CRS Report R4383 1 , Cybersecurity Issues and 
Challenges: In Brief, by Eric A. Fischer. 



Background 

Barriers to the sharing of information on threats, attacks, vulnerabilities, and other aspects of 
cybersecurity — both within and across sectors — have long been considered by many to be a 
significant hindrance to effective cybersecurity, especially with respect to critical infrastructure, 
such as the financial system and the electric grid. 2 Private -sector entities often claim that they are 
reluctant to share such information among themselves because of concerns about legal liability, 
antitrust violations, and potential misuse, especially of intellectual property, including trade 
secrets and other proprietary business information. 

Perceived barriers to sharing with government agencies include concerns about risks of disclosure 
and the ways governments might use the information provided. In addition, some private-sector 



1 The analysis is limited to a textual comparison of the bills and is not intended to reach any legal conclusions regarding 
them. 

2 See, for example, CSIS Commission on Cybersecurity for the 44 th Presidency, Cybersecurity Two Years Later, 
January 2011, http://csis. 0 rg/f 1 les/publication/l 10128_Lewis_CybersecurityTwoYearsLater_Web.pdf. There are 
currently 1 6 recognized critical-infrastructure sectors (see The White House, “Critical Infrastructure Security and 
Resilience,” Presidential Policy Directive 21, February 12, 2013, http://www.whitehouse.gov/the-press-office/2013/02/ 
12/presidential-policy-directive-critical-infrastructure-security-and-resil). 



Congressional Research Service 



1 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



entities complain that the federal government does not share its information — especially 
classified information — effectively with the private sector, and that there is little reciprocity or 
other incentives for such entities to share information with the government. 3 

Institutional and cultural factors have also been cited — traditional approaches to security tend to 
emphasize secrecy and confidentiality, which would necessarily impede sharing of information. 
While reduction or removal of such barriers may provide cybersecurity benefits, concerns have 
also been raised about potential adverse impacts, especially with respect to privacy and civil 
liberties. 

A few sectors are subject to federal notification requirements, 4 but most such information sharing 
is voluntary, often through sector-specific Information Sharing and Analysis Centers (ISACs) 5 or 
programs under the auspices of the Department of Homeland Security (DHS), sector-specific 
agencies, or private -sector organizations. 6 In 2009, the Obama Administration established the 
National Cybersecurity and Communications Integration Center (NCCIC) “to bolster information 
sharing and incident response” with respect to critical infrastructure in particular. 7 

Legislation focusing specifically on alleviating obstacles to information sharing in cybersecurity 
were first considered in the 1 12 th Congress. 8 The Cyber Intelligence Sharing and Protection Act 
(CISPA, H.R. 3523) passed the House in the second session but received no action in the Senate. 
The Cybersecurity Information Sharing Act (CISA, S. 2102) of 2012 was largely incorporated 
into the Cybersecurity Act of 2012 (S. 3414), which was debated in the Senate but failed two 
attempts at cloture. The Obama Administration also proposed legislation during the 1 12 th 
Congress that included provisions on information sharing. 9 

CISPA was reintroduced with little change in the 1 13 th Congress as H.R. 624. An amended 
version passed the House but once again received no action in the Senate. A substantially 
amended version of CISA was reintroduced and reported in the Senate (S. 2588) but also received 
no further action. However, a bill authorizing NCCIC was enacted (S. 2519, PL. 113-282), 10 
along with four other cybersecurity bills with provisions on the protection of critical 



3 See, for example, Sara Sorcher, “Security Pros: Cyberthreat Info-Sharing Won’t Be as Effective as Congress Thinks,” 
Christian Science Monitor, June 12, 2015, http://www.csmonitor.com/World/Passcode/2015/0612/Security-pros- 
Cyberthreat-info-sharing-won-t-be-as-effective-as-Congress- thinks. 

4 Notable examples include the chemical industry, electricity, financial, and transportation sectors. 

5 ISACs were originally formed pursuant to a 1998 presidential directive (The White House, “Presidential Decision 
Directive 63: Critical Infrastructure Protection,” May 22, 1998, http://www.fas.org/irp/offdocs/pdd/pdd-63.htm). 

6 See also CRS Report R421 14, Federal Laws Relating to Cybersecurity: Overview of Major Issues, Current Laws, and 
Proposed Legislation, by Eric A. Fischer, CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. 

Liu et al.; CRS Report R42984, The 2013 Cybersecurity’ Executive Order: Overview and Considerations for Congress, 
by Eric A. Fischer et al.; CRS Report R43821, Legislation to Facilitate Cybersecurity Information Sharing: Economic 
Analysis, by N. Eric Weiss. 

7 Department of Homeland Security, “Secretary Napolitano Opens New National Cybersecurity and Communications 
Integration Center,” Press Release, October 30, 2009, http://www.dhs.gov/ynews/releases/pr_1256914923094.shtm. 

8 Some bills in earlier Congresses had addressed aspects of information sharing. For example, H.R. 5548 and S. 3480 in 
the 1 1 1 th Congress included some provisions on bidirectional information sharing between the federal government and 
nonfederal entities. 

9 The White House, “Department of Homeland Security Cybersecurity Authority and Information Sharing,” May 12, 
2011, http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/dhs-cybersecurity-authority.pdf. 

111 H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act, would also have authorized the 
NCCIC. It passed the House but received no further action in the Senate. 



Congressional Research Service 



2 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



infrastructure and federal information systems, research and development, and the cybersecurity 
workforce. 11 



Current Legislative Proposals 



House Consideration of NCPAA and PCNA 

PCNA (H.R. 1560) was introduced March 24, 2015, and reported by the House Intelligence 
Committee on April 13 (H.Rept. 114-63). NCPAA (H.R. 1731) was introduced April 13 and 
reported by the House Homeland Security Committee on April 17 (H.Rept. 114-83). The House 
Committee on Rules held a hearing on proposed amendments to both bills on April 21. More than 
30 amendments were submitted for NCPAA and more than 20 for PCNA. 12 The committee 
reported H.Res. 212 (H.Rept. 114-88) on the two bills on April 21, with a structured rule allowing 
consideration of five amendments to PCNA and 1 1 for NCPAA. For each bill, a manager’s 
amendment would serve as the base bill for floor consideration, with debate on PCNA held on 
April 22 and on NCPAA on April 23. The rule further stated that upon passage of both bills, the 
text of H.R. 1731 would be appended to H.R. 1560, and H.R. 1731 would be tabled. 

On April 22, all five amendments to H.R. 1560 were adopted and the bill passed the House by a 
vote of 307 to 116. The amendments were all agreed to by voice vote except a sunset amendment 
terminating the bill’s provisions seven years after enactment, which passed by recorded vote of 
3 13 to 110. Similarly, on April 23, the 1 1 amendments to H.R. 1731 were all adopted and the bill 
was passed by a vote of 355 to 63. A sunset amendment similar to that approved for H.R. 1560 
and all but one other amendment were adopted by voice vote. The exception, requiring a GAO 
study on privacy and civil liberties impacts, was agreed to by recorded vote, 405 to 8. The 
engrossed version of H.R. 1560 combined the bills by making PCNA Title I and NCPAA Title 
II. 13 

Senate Consideration of CISA 

CISA was introduced and reported by the Senate Intelligence Committee on March 17, 2015, with 
a written report filed April 15 (S.Rept. 114-32). The bill was offered as an amendment to H.R. 
1735, the National Defense Authorization Act for 2016 (NDAA), but a cloture vote on the 
amendment failed on June 1 1 . A motion to proceed on CISA was filed on August 3, along with a 
cloture motion. More than 70 amendments to the bill have been filed. The analysis in this report 
is based on the reported version of the bill. Changes that would be made by a widely circulated 
substitute are discussed in the section on “Managers Amendment to CISA.” 



11 See CRS Report R43831, Cybersecurity Issues mid Challenges: In Brief, by Eric A. Fischer. 

12 For a list of amendments and text, see Flouse Committee on Rules, “H.R. 1731 — National Cybersecurity Protection 
Advancement Act of 2015,” April 21, 2015, http://rules.house.gOv/bill/l 14/hr- 1 73 1 , and "H.R. 1560 — Protecting Cyber 
Networks Act,” April 21, 2015, http://rules.house.gOv/bill/l 14/hr-1560. 

13 To avoid confusion about the passed and engrossed versions of H.R. 1 560, the two bills are referred to hereinafter by 
their names, not their original bill numbers. CISA will also be referred to by name rather than bill number. 



Congressional Research Service 



3 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Other Legislative Proposals in the 114 th Congress 

Two other bills on information sharing have been introduced in the 1 14 th Congress, one in the 
House and one in the Senate. The White House has also submitted a legislative proposal 14 (WHP) 
and issued an executive order on the topic. 15 The other bills are 

• the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the 
House in the 1 13 th Congress and was reintroduced unamended as H.R. 234; and 

• the Cyber Threat Sharing Act of 2015, S. 456, which is similar to the WHP. 16 



Overview of the Legislative Proposals 

All the bills would address common concerns about barriers to sharing of information on threats, 
attacks, vulnerabilities, and other aspects of cybersecurity — both within and across sectors — but 
they vary somewhat in emphasis and method. NCPAA focuses on the role of the Department of 
Homeland Security (DHS), and in particular the National Cybersecurity and Communications 
Integration Center (NCCIC), the role of which is also addressed in S. 456 and the WHP. 

PCNA, in contrast, focuses more on the role of the intelligence community (1C), 17 including 
explicit authorization of the Cyber Threat Intelligence Integration Center (CT11C), the 
establishment of which was announced by the Obama Administration in February 2015. 18 Similar 
authorizing language was included in H.R. 2596, the Intelligence Authorization Act for Fiscal 
Year 2016, which passed the House June 16. The White House announced opposition to the 
provisions in the bill on CTTIC’s mission and personnel, arguing that they would interfere with 
the functions of the center as envisioned by the Administration. 19 Both CISPA and CISA address 
roles of DHS and the IC but do not specifically reference the NCCIC or CTIIC. 

All five bills and the WHP have provisions aimed at facilitating sharing of information among 
private-sector entities and providing protections from liability that might arise from such 
sharing. 20 They vary somewhat in the kinds of private -sector entities and information covered. In 



14 The White House, Updated Information Sharing Legislative Proposal, 2015, http://www.whitehouse.gov/sites/ 
default/files/omb/legislative/letters/updated-information-sharing- legislative-proposal.pdf. 

15 Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” Federal Register 80, no. 34, 
February 20, 2015, pp. 9349-9353, http://www.gpo.gov/fdsys/pkg/FR-2015-02-20/pdf/2015-03714.pdf. 

16 See Senate Committee on Homeland Security and Governmental Affairs, Protecting America from Cyber Attacks: 
The Importance of Information Sharing, 2015, http://www.hsgac.senate.gov/hearings/protecting-america-from-cyber- 
attacks-the-importance-of-information-sharing. The hearing was not specifically on the White House proposal but it 
was held after the proposal was submitted and before the introduction of S. 456. 

17 The IC consists of 17 agencies and others as designated under 50 U.S.C. 3003. 

18 The White House, “Fact Sheet: Cyber Threat Intelligence Integration Center,” press release, February 25, 2015, 
https://www.whitehouse.gov/the-press-office/2015/02/25/fact-sheet-cyber-threat-intelligence-integration-center. 

19 Office of Management and Budget, "H.R. 2596 — Intelligence Authorization Act for FY 2016” (Statement of 
Administration Policy, June 15, 2015), https://www.whitehouse.gOv/sites/default/files/omb/legislative/sap/l 14/ 
saphr2596r_20150615.pdf. 

20 The House-passed version of H.R. 1735, the National Defense Authorization Act for Fiscal Year 2016, contains 
provisions protecting certain classes of contractors from liability for infonnation sharing, but the Senate-passed version 
does not contain those provisions. 



Congressional Research Service 



4 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



general, the proposals limit the use of shared information to purposes of cybersecurity and 
specified aspects of law enforcement, and they limit government use for regulatory purposes. 

NCPAA, PCNA, and CIS A would explicitly authorize private-sector entities to monitor and use 
defensive measures to protect their own systems and those of other consenting entities. C1SPA 
does not directly authorize those actions, but its provisions appear to cover monitoring. 21 S. 456 
and the WHP do not cover monitoring or defense. 

All address concerns about privacy and civil liberties, although the mechanisms proposed vary to 
some extent, in particular the roles played by the Attorney General, the DHS Secretary, Chief 
Privacy Officers, the Privacy and Civil Liberties Oversight Board (PCLOB), and the Inspectors 
General of DHS and other agencies. All the proposals require reports to Congress on impacts of 
their provisions. All also include provisions to shield information shared with the federal 
government from public disclosure, including exemption from disclosure under the Freedom of 
Information Act (FOLA). 

In addition, NCPAA, S. 456, and the WHP address and modify the roles of information sharing 
and analysis organizations (ISAOs). 22 ISAOs were defined in the Homeland Security Act (HSA, 6 
U.S.C. § 1 3 1 (5)) as entities that gather and analyze information relating to the security of critical 
infrastructure, communicate such information to help with defense against and recovery from 
incidents, and disseminate such information to any entities that might assist in carrying out those 
goals. Information Sharing and Analysis Centers (ISACs) are more familiar to most observers. 
They may arguably be ISAOs under the definition in HSA but have a different origin, having 
been formed pursuant to a 1998 presidential directive. 23 

Executive Order 13691, 24 issued soon after the WHP, also addresses the role of ISAOs. It requires 
the Secretary of Homeland Security to encourage and facilitate the formation of ISAOs, and to 
choose and work with a nongovernmental standards organization to identify standards and 
guidelines for them. 25 It also requires the NCCIC to coordinate with ISAOs on information 



21 It pemiits covered entities to “use cybersecurity systems to identify and obtain cyber threat infonnation to protect the 
rights and property” of covered entities (Sec. 3(a), modifying Sec. 1 104(b) of the National Security Act). 

22 The House Committee on Homeland Security held two hearings on the White House proposal before H.R. 1731 was 
introduced (House Committee on Homeland Security, Examining the President’s Cybersecurity Information Sharing 
Proposal, 2015, http://homeland.house.gov/hearing/hearing-administration-s-cybersecurity-legislative-proposal- 
information-sharing; House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, Industry Perspectives on the President ’s Cybersecurity Information Sharing 
Proposal, 2015, http://homeland.house.gov/hearing/subcommittee-hearing-industry-perspectives-president-s- 
cybersecurity-information-sharing). 

23 The White House, “Presidential Decision Directive 63: Critical Infrastructure Protection,” May 22, 1998, 
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm. The directive envisioned a single center for analysis and sharing of 
private-sector information relating to the protection of critical infrastructure, with specific design and functions 
determined by the private sector, in consultation with the federal government. That consultation resulted in the 
establishment of sector-specific ISACs, with the first, covering the financial sector, established in 1999 (ISAC Council, 
"Reach of the Major ISACs,” January 31, 2004, http://www.isaccouncil.org/images/ 
Reach_of_the_Major_ISACs_013104.pdf). 

24 Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing.” 

25 DHS has posted a Notice of Funding Opportunity for the standards organization, with selection expected in August 
2015 (see Department of Homeland Security, “Information Sharing and Analysis Organizations,” May 27, 2015, 
http://www.dhs.gov/isao). 



Congressional Research Service 



5 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



sharing, and includes some provisions to facilitate sharing of classified cybersecurity information 
with appropriate entities. 

On April 21, the White House announced support for passage of both NCPAAand PCNAby the 
House, while calling for a narrowing of sweep for the liability protections and additional 
safeguards relating to use of defensive measures in both bills. 26 It also called for clarifying 
provisions in NCPAA on use of shared information in federal law enforcement and ensuring that 
provisions in PCNA do not interfere with privacy and civil liberties protections. As described 
above, the White House has also expressed opposition to the provisions on the mission and 
personnel of CTTIC in PCNA. The Obama Administration had not posted a statement of 
Administration policy on C1SA as of August 4. However, the Department of Homeland Security 
has raised concerns about some of its provisions, 27 although a White House spokesman has 
reportedly stated that the Administration supports passage of the bill. 28 



Selected Issues 

Several issues appear to be particularly relevant to the debate over information-sharing 
legislation. Among them are the following: 

• Kinds of Information. What are the kinds of information for which barriers to 
sharing exist that make effective cybersecurity more difficult, and what are those 
barriers? 

• Information-Sharing Process. How should the gathering and sharing of 
information be structured in the public and private sectors to ensure that it is 
efficient, effective, and appropriate? 

• Uses of Information. What limitations should be placed on how shared 
information is used? 

• Standards and Practices. What improvements to current standards and practices 
are needed to ensure that information sharing is useful and efficient for protecting 
information systems, networks, and their contents? 

• Privacy and Civil Liberties. What are the risks to privacy rights and civil 
liberties of individual citizens associated with sharing different kinds of 
cybersecurity information, and how can those rights and liberties best be 
protected? 

• Liability Protections. What, if any, statutory protections against liability are 
needed to reduce disincentives for private -sector entities to share cybersecurity 
information with each other and with government agencies, and how can the 



26 Office of Management and Budget, "H.R. 1560 — Protecting Cyber Networks Act,” Statement of Administration 
Policy, April 21, 2015, https://www.whitel 10 use.g 0 v/sites/default/files/ 0 mb/legislative/sap/l 14/ 
saphrl560r_20150421.pdf; Office of Management and Budget, "H.R. 1731 — National Cybersecurity Protection 
Advancement Act of 2015,” Statement of Administration Policy, April 21, 2015, https://www.whitehouse.gov/sites/ 
default/files/ omb/legislative/ sap/ 114/ saphr 1731 r_20 150421 .pdf. 

27 Alejandro N. Mayorkas, "Letter to Senator A1 Franken,” July 31, 2015. 

28 Cory Bennett, “White House Endorses Senate Cyber Bill,” The Hill , August 4, 2015, http://thehill.com/policy/ 
cybersecurity/25024 1-white-house-endorses-senate-cyber-bill. 



Congressional Research Service 



6 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



need to reduce such barriers best be balanced against any risks to well- 
established protections? 

An in-depth discussion of these issues is beyond the scope of this report. However, the points 
described below may be relevant for congressional debate. For discussion of legal issues 
associated with privacy, civil liberties, and liability protections, see CRS Report R43941, 
Cybersecurity and Information Sharing: Legal Challenges and Solutions , by Andrew Nolan. 

Information that may be usefully shared can be complex in type and purpose, which may 
complicate determining the best methods and criteria for sharing. Information sharing can 
involve a broad variety of material communicated on a wide range of timescales, from broad 
cybersecurity policies and principles to best practices to information on threat intelligence, 29 
vulnerabilities, and defenses to computer-generated data transmitted directly from one 
information system to another electronically. The level of sensitivity of information can also 
vary — for example, it may be classified, proprietary, or personal. Information of any class will 
also vary in its value for cybersecurity and the degree to which it needs human processing to be 
useful. 30 

Shared information can be used for a variety of purposes relating to cybersecurity. A widely 
recognized objective is to inform situational awareness — an understanding of the components, 
operational roles, and current and projected states of systems and networks being protected; 
events occurring within and across them; and threats, vulnerabilities, and other elements of risk, 
all in the context of the larger cyberspace environment. Shared information may also be used for 
identifying specific defensive actions or measures, and for planning and capacity-building, among 
other objectives. 31 In addition, the same information may have different utility for different 
users — for example, threat signatures relating to attacks on one critical infrastructure sector may 
be of marginal concern for another, and best practices may be much more useful for small 
businesses than signatures associated with advanced targeted threats. Also, shared information 
may prove of little use if it is delayed, provided without relevant contextual detail, or provided in 
a form that requires substantial additional processing to determine its applicability. If recipients 
find that the information they are provided is of little use to them, they may be less likely to 
participate in or continue with information-sharing initiatives. 

The timescale during which shared information will be most useful varies with the kind of 
information shared and its purpose. To the extent that the goal of information sharing is to defend 
systems and networks against cyberattacks, there appears to be a consensus that shared 
information needs to be actionable — that is, it should identify or evoke a specific response aimed 
at mitigating cybersecurity risks. To be meaningfully actionable, information may often need to 



29 This can be described as “indicators (i.e., an artifact or observable that suggests that an attack is imminent, that an 
attack is underway, or that a compromise may have already occurred); the TTPs [tactics, techniques, and procedures] of 
an adversary; and recommended actions to counter an attack” (Chris Johnson, Lee Badger, and David Waltermire, 

Guide to Cyber Threat Information Sharing (Draft), SP 800-150, National Institute of Standards and Technology, 
October 2014, 4, http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf). 

30 See, for example, Kathleen M. Moriarty, “Transforming Expectations for Threat-Intelligence Sharing,” RSA 
Perspective, August 3, 2013, https://www.emc.com/collateral/emc-perspective/hl2175-transf-expect-for-threat-intell- 
sharing.pdf. 

31 See, for example, Department of Homeland Security, “Information Sharing: A Vital Resource,” March 10, 2015, 
http://www.dhs.gov/infonnation-sharing-vital-resource; Robin M. Ruefle and M. Murray, “CSIRT Requirements for 
Situational Awareness,” Carnegie Mellon University, January 25, 2014, http://oai.dtic.mil/oai/oai?verb=getRecord& 
metadataPrefix=html&identifiei=ADA596848. 



Congressional Research Service 



7 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



be shared very quickly or even in an automated fashion. Such rapid communication, for example 
by machine -to-machine transmission and processing, is sometimes called “real-time” or “near 
real-time” sharing. The relevance of timing for shared information may be measured in seconds 
or even milliseconds in many cases. 32 There may be little or no time for human operators to 
examine a specific parcel of data to determine whether sharing it could raise privacy, liability, or 
other concerns. Therefore, the way that such sharing is implemented may affect not only 
operational effectiveness, but also other interests and goals such as privacy. 

A large increase in information sharing could potentially lead to information overload, reducing 
the effectiveness of the sharing in reducing cybersecurity risks. The relationship between the 
volume of information shared and improved cybersecurity is not straightforward. Given the broad 
classes of information that might be candidates for sharing, and the sheer volume of available 
data, an entity could receive much more information than it can reasonably process with available 
resources. Both providers and recipients — whether they are businesses, ISACs, IS AOs, or 
government agencies — will incur various costs, including developing, assessing, processing, 
sharing, and applying the information. For sharing to be effective, information from the provider 
must be relevant to recipients’ needs and in forms that can be readily applied in their information 
technology and security environments. Recipients must also have the capacity and willingness to 
assess and use the information received in a timely fashion. A large increase in the amount of 
information received may be counterproductive, especially if much of the information proves to 
be of little use to the recipient. That could include not only information of uncertain quality and 
use, but also similar or redundant information from a variety of sources, which could lead to 
misdirection and waste of resources and could result in important information being overlooked. 
However, determining a priori what information is useful to share may be difficult. 33 

The current structure for information sharing is fairly complex but arguably limited in scope. 
Several federal entities in addition to NCCIC and CTIIC are involved. For example, the National 
Cyber Investigative Joint Task Force (NCIJTF), which is operated by the Federal Bureau of 
Investigation (FBI), shares information on investigations related to domestic cyberthreats with 
national security and criminal law-enforcement programs. 34 Other entities with broader missions 
may also be involved in cybersecurity information sharing — for example, the federal Information 
Sharing Environment, 35 and state and local fusion centers. 36 There are also many private-sector 
entities with information-sharing missions, most notably the ISACs, of which 19 are members of 
the national council. 37 

Currently, there appear to be two general models for information sharing — a decentralized, “peer- 
to-peer,” often informal approach between entities with complementary needs, and a more 



32 See, for example, M.J. Herring and K.D. Willett, “Active Cyber Defense: A Vision for Real-Time Cyber Defense,” 
Journal of Information Warfare 13, no. 2, April 2014, pp. 46-55, https://www.nsa.gov/ia/_files/JIW-13-2 — 23-April- 
20 1 4 — F inal-Version.pdf. 

33 See, for example, Moriarty, “Transforming Expectations for Threat-Intelligence Sharing.” 

’ 4 Federal Bureau of Investigation, “National Cyber Investigative Joint Task Force,” 2015, http://www.fbi.gov/about- 
us/investigate/cyber/ncijtf. 

35 Information Sharing and Access Interagency Policy Committee, “Information Sharing Environment (ISE),” 2015, 
http://www.ise.gov/. 

36 National Fusion Center Association, “National Strategy for the National Network of Fusion Centers, 2014-2017,” 
July 2014, https://nfcausa.org/html/ 

National%20Strategy%20for%20the%20National%20Network%20of%20Fusion%20Centers.pdf. 

37 National Council of ISACs, “Member ISACs,” 2015, http://www.isaccouncil.org/memberisacs.html. 



Congressional Research Service 



8 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



centralized “hub-and-spoke” model such as the IS AC's/ 8 Organizations such as ISACs are 
generally sector-specific. Not all sectors have such organizations, and affiliations other than 
sector may also be important for some kinds of information sharing. Filling such gaps appears to 
be part of the rationale behind the Administration’s 1SAO proposal to broaden the scope of ISAOs 
beyond that described in the Homeland Security Act. 39 On the one hand, the absence of an 
appropriate mechanism can be a barrier to information sharing for an entity. On the other hand, a 
proliferation of mechanisms, such as some observers fear the Administration’s 1SAO model might 
result in, could also serve as a barrier if it makes information sharing inefficient or confusing for 
possible participants. 

A proliferation of sharing mechanisms could improve coverage for information sharing among 
sectors but might also lead to duplication or over specialization. Those could lead to a reduction 
in effective sharing across sectors, for example, and lack of clarity with respect to responsibilities. 
It also creates the possibility that entities could receive conflicting information or even 
incompatible recommendations from different sharing organizations. However, the potential for 
duplication creates the potential for market competition, and such market forces would ideally 
yield more innovation and more rapid improvement in information sharing than would a more 
restricted approach. Market forces might also lead to lower costs, and cost can be an impediment 
to improved information sharing, especially for small businesses. Yet market forces might also 
lead to higher costs, and a proliferation of sharing mechanisms might also make decisions about 
which one or ones to join more difficult for potential participants. In contrast, a narrow, tightly 
defined structure for information sharing could lead to logjams or impede innovation in response 
to the continuing evolution of cyberspace. 

Development of consensus standards and best practices may improve the effectiveness and 
efficiency of information sharing , 40 The adoption of standards for information sharing is one way 
to help address concerns about reliability and utility of information received. Such an effort may 
be especially useful if the number and scope of ISAOs grows significantly, as may be the case 
under the Obama Administration proposal and EO 13691. Dozens of standards currently exist 
relating to information sharing. 41 The Department of Homeland Security has been developing a 
single set applicable to sharing of threat intelligence. 42 However, the large variation in sharing 
requirements and benefits among different entities and sectors may pose a significant challenge to 
the development of a useful common set of standards and practices. Nevertheless, experience 
with the development of the NIST cybersecurity framework suggests that it may be possible to 
create a sufficiently flexible structure that entities can use to identify and develop appropriate 
standards and practices. 43 



3S Denise E. Zheng and James A. Lewis, Cyber Threat Information Sharing: Recommendations for Congress and the 
Administration, CSIS, March 2015, https://csis.org/files/publication/150310_cyberthreatinfosharing.pdf. 

39 The White House, Updated Information Sharing Legislative Proposal, The White House, “Fact Sheet: Executive 
Order Promoting Private Sector Cybersecurity Information Sharing” (Press Release, February 12, 2015), 
http://www.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting-private-sector- 
cybersecurity-inform; Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing.” 

40 See, for example, Moriarty, “Transforming Expectations for Threat-Intelligence Sharing.” 

41 European Union Agency for Network and Information Security, Standards and Tools for Exchange and Processing 
of Actionable Information, November 2014, https://www.enisa.europa.eu/activities/cert/support/actionable-information/ 
standards-and-tools-for-exchange-and-processing-of-actionable-information. 

42 Department of Homeland Security, “Information Sharing Specifications for Cybersecurity,” 2015, https://www.us- 
cert.gov/Information-Sharing-Specifications-Cybersecurity. 

43 See CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress, by 
(continued...) 



Congressional Research Service 



9 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Protection of confidentiality, privacy, and civil liberties in information sharing remains an area of 
controversy. Concerns relating to privacy and civil liberties, especially the protection of personal 
and proprietary information and uses of shared information, have been a subject of considerable 
debate in the development of legislation on information sharing. The bills contain provisions 
aimed at reducing risks of inappropriate sharing and use of such information. Observers vary 
significantly in assessments about the adequacy of those safeguards, both in general and with 
respect to the House and Senate bills . 44 Some observers argue that shared cybersecurity 
information seldom needs to include privacy-related information , 45 which suggests that privacy 
concerns may be limited and comparatively easy to address. However, the issue is complicated by 
various factors, including potential impacts of advances in data analytic capabilities, often 
referred to as “big data.” According to a presidential advisory panel, “By data mining and other 
kinds of analytics, nonobvious and sometimes private information can be derived from data that, 
at the time of their collection, seemed to raise no, or only manageable, privacy issues .” 46 There 
are many potential sources, unrelated to the information-sharing activities addressed in the bills, 
from which an individual’s personal information in cyberspace can be identified and acquired by 
various entities. The impacts of data mining and analytics do not appear to have generally been 
analyzed with respect to the potential risks to confidentiality and privacy of private- and public- 
sector information-sharing activities in comparison to risks from other kinds of activities. 

Sharing of information among private-sector entities might not be substantially increased by the 
actions contemplated in the legislation. Most observers appear to believe that legislation on 
information sharing is either necessary or at least potentially beneficial — provided that 
appropriate protections are included. Some observers have noted that the benefits of receiving 
cybersecurity information tend to outweigh the benefits of providing such information for many 
organizations . 47 This may be especially true for information shared with the federal government . 48 
Timely and actionable information that an entity receives can help it prevent or mitigate an attack. 
In the absence of incentives for reciprocity, however, it is hard to see what benefit an organization 



(...continued) 

Eric A. Fischer et al. 

44 See, for example. Dean C. Garfield, President and CEO, Information Technology Industry Council, “Letter to Sens. 
Mitch McConnell and Harry Reid,” July 23, 2015, http://www.itic.org/policy/ITICISASenateLetter07-23-2015.pdf; 
Robyn Greene, “Is CISA Gift-Wrapped for Hackers and Nation-State Actors?,” The Hill, August 3, 2015, 
http://thehill.com/blogs/pundits-blog/technology/250070-is-cisa-gift-wrapped-for-hackers-and-nation-state-actors; 
House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security 
Technologies, Industry Perspectives on the President ’s Cybersecurity Information Sharing Proposal, Mayorkas, 

“Letter to Senator Al Franken”; Office of Management and Budget, “H.R. 1560 — Protecting Cyber Networks Act”; 
Office of Management and Budget, "H.R. 1731 — National Cybersecurity Protection Advancement Act of 2015.” 

45 See, for example, David Inserra and Paul Rosenzweig, “Cybersecurity Information Sharing: One Step Toward U.S. 
Security, Prosperity, and Freedom in Cyberspace,” Backgrounder #2899 (The Heritage Foundation, April 1, 2014); 
Kimberley Peretti, “Cyber Threat Intelligence: To Share or Not to Share — What Are the Real Concerns?,” Privacy and 
Security’ Law Report 13, no. 1476 (September 1, 2014), http://www.alston.coin/Files/Publication/09a5e602-0f0c-4635- 
b5eb-68581 1791486/Presentation/PublicationAttachment/629e5e52-4200-422a-a3el-6fa39e6b2ff5/ 
Bloomberg%20BNA_KPeretti_LDennig_Cyber%20Threat%20Intel%208%2029%20 14.pdf. 

46 President’s Council of Advisors on Science and Technology, "Big Data and Privacy: A Technological Perspective,” 
April 30, 2014, p. ix, https://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/ 
pcast_big_data_and_privacy_-_may_2014.pdf. 

47 See, for example, CRS Report R43821, Legislation to Facilitate Cybersecurity Information Sharing: Economic 
Analysis, by N. Eric Weiss; Zheng and Lewis, “Cyber Threat Information Sharing: Recommendations for Congress and 
the Administration.” 

48 Sorcher, “Security Pros.” 



Congressional Research Service 



10 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



would gain from providing information, unless it is a government entity whose mission is to 
provide such data or a provider of cybersecurity services. More indirect benefits might occur, for 
example, if a pattern of reciprocity develops among sharing entities, such as through ISACs or 
ISAOs. However, information sharing by itself is not sufficient to improve cybersecurity. Not 
only must the information be actionable, but the recipient must also have processes, including 
equipment and software, in place to use the information effectively. If such processes are not in 
place and utilized properly, the net effect may be the same as if the information were not shared at 
all . 49 

In addition to issues such as legal concerns that may be associated with providing information, 
businesses may be concerned about reputation costs, if they provide information showing that 
they have been victims of cyberattacks. Government measures such as requirements for data- 
breach notification, as enacted in most states, can provide incentives for organizations to share 
information that may be useful in attempts to prevent future attacks on other entities or to capture 
and prosecute cybercriminals. While the legislative proposals on information sharing may reduce 
the risks to private -sector entities associated with providing information, none include explicit 
incentives to stimulate such provision. In the absence of mechanisms to balance the asymmetry 
between incentives for receiving and providing information, the degree to which information 
sharing would increase under the provisions of the various legislative proposals may be uncertain. 

Information sharing is only one facet of cybersecurity . 50 Information sharing is only one of many 
cybersecurity tools, and some observers have expressed concern about risks associated with an 
overemphasis on its role in cybersecurity. Sharing may be relatively unimportant for many 
organizations, especially in comparison with other cybersecurity needs . 51 Entities must also have 
the resources and processes in place that are necessary for effective cybersecurity risk 
management. For example, in the data breaches of information on federal employees revealed in 
June by the Office of Personnel Management (OPM), it is not clear that specific information 
about the threat or even defensive measures would have resulted in effective defense against the 
attacks, given OPM’s reported shortcomings in implementation of requirements in the Federal 
Information Security Management Act (FISMA ). 52 

In addition, information sharing tends to focus on immediate concerns such as cyberattacks and 
imminent threats. While those must be addressed, that does not diminish the importance of other 
issues in cybersecurity such as education and training, workforce, acquisition, or cybercrime law, 
or major long-term challenges such as building security into the design of hardware and software, 



49 See, for example, Johnson, Badger, and Waltennire, “Guide to Cyber Threat Infonnation Sharing (Draft).” 

50 See, for example, Testimony of Martin C. Libicki before the House Committee on Oversight and Government 
Reform, Subcommittee on Infonnation Technology, hearing on Industry Perspectives on the President ’s Cybersecurity 
Information Sharing Proposal, 2015, http://homeland.house.gov/hearing/subcommittee-hearing-industry-perspectives- 
president-s-cybersecurity- information-sharing. 

51 For example, in the Cybersecurity Framework developed by the National Institute of Standards and Technology, 
target levels of information sharing vary among the four tiers of cybersecurity implementation developed for 
organizations with different risk profiles (National Institute of Standards and Technology, Framework for Improving 
Critical Infrastructure Cyber security. Version 1.0, February 12, 2014, http://www.nist.gov/cyberframework/upload/ 
cybersecurity- framework-02 121 4- final .pdf) . 

52 See, for example, House Committee on Oversight and Government Reform, OPM: Data Breach, hearing, June 16, 
2015, https://oversight.house.gov/hearing/opm-data-breach; CRS Report R44 111, Cyber Intrusion into U.S. Office of 
Personnel Management: In Brief, coordinated by Kristin Finklea. 



Congressional Research Service 



11 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



changing the incentive structure for cybersecurity, developing a broad consensus about 
cybersecurity needs and requirements, and adapting to the rapid evolution of cyberspace. 



Side-by-Side Comparison of NCPAA, PCNA, and 
CISA 



The remainder of the report consists of a side-by-side comparison of provisions in NCPAA and 
PCNA as passed by the House and CISA as reported to the Senate. 



Managers Amendment to CISA 

A widely circulated managers’ amendment to CISA would make some changes that are not 
reflected in the table but are summarized here: 

• Narrows the definition of defensive measure in Sec. 2(7) to expressly exclude 
measures that provide unauthorized access to information systems. 

• Expands the definition of private entity is Sec. 2(15) to include utilities other than 
electric utilities. 

• Narrows the authorized uses of shared information by nonfederal entities in Sec. 
4(c)(1) to cybersecurity purposes (certain law-enforcement uses would still be 
permitted for nonfederal governments with prior consent under Sec. 4(d)(4)). 

• Makes the Secretary of Homeland Security responsible along with the Attorney 
General for developing policies and procedures for federal receipt of shared 
cyber threat indicators and defensive measures under Sec. 5(a). 

• Clarifies that communications about previously shared indicators between a 
federal and private entity through the DHS process in Sec. 5(c) are for the 
purpose of describing threats or developing defensive measures. 

• Deletes the provision in Sec. 5(d)(5) permitting use of shared information for law 
enforcement purposes relating to serious violent felonies under 18 U.S.C. 

§3 559(c)(2)(F), which cover crimes that are arguably not related to cybersecurity. 

• Eliminates the express exemption under the Freedom of Information Act (FOIA) 
for cybersecurity information under Sec. 10. 

• Makes other clarifying or technical changes, for example, changing “personal 
information of or identifying a specific person” to “personal information or 
information that identifies a specific person” at several places in the bill, and 
requiring that the Director of National Intelligence submit a separate report to the 
House Foreign Affairs and Senate Foreign Relations Committees when 
submitting the report required under Sec. 9. 



Congressional Research Service 



12 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Glossary of Abbreviations in the Table 

AG Attorney General 



Cl 


Critical Infrastructure 


CPO 


Chief Privacy Officer 


CRADA 


Cooperative research and development agreement 


CTIIC 


Cyber Threat Intelligence Integration Center 


DHS 


Department of Homeland Security 


DNI 


Director of National Intelligence 


DOD 


Department of Defense 


DOJ 


Department of Justice 


FIPPs 


Fair Information Practice Principles 


HSA 


Homeland Security Act 


HSC 


House Committee on Homeland Security 


HSGAC 


Senate Homeland Security and Governmental Affairs Committee 


1C 


Intelligence community 


ICS 


Industrial control system 


ICS-CERT 


Industrial Control System Cyber Emergency Response Team 


IG 


Inspector General 


ISAC 


Information sharing and analysis center 


IS AO 


Information sharing and analysis organization 


MOU 


Memorandum of understanding 


NCCIC 


National Cybersecurity and Communications Integration Center 


NCPAA 


National Cybersecurity Protection Advancement Act of 2015 


ODNI 


Office of the Director of National Intelligence 


PCLOB 


Privacy and Civil Liberties Oversight Board 


PCNA 


Protecting Cyber Networks Act 


R&D 


Research and development 


SSA 


Sector-specific agency 


Secretary 


Secretary of Homeland Security 


U.S. 


United States 


U.S.C. 


United States Code 


US-CERT 


United States Computer Emergency Readiness Team 


U/S-CIP 


DHS Under Secretary for Cybersecurity and Infrastructure Protection 



Congressional Research Service 



13 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Notes on the Table 

Entries describing provisions in a bill are summaries or paraphrases, with direct quotes enclosed 
in double quotation marks. The table uses the following formatting conventions to aid in the 
comparison: 

• Related provisions in the two titles are adjacent to each other, with NCPAA 
serving as the basis for comparison. 53 As a result, many provisions of PCNA 
appear out of sequence in the table. 

• Bold formatting denotes that the identified provision is the subject of the 
subsequent text (e.g., (d) or Sec. 102 (a)). 

• Numbers and names of sections, subsections, and paragraphs (except definitions) 
added to existing laws by the bills are enclosed in single quotation marks (e.g., 

‘Sec. 111(a)’). 

• Underlined text (visible only in the pdf version) is used in selected cases as a 
visual aid to highlight differences with a corresponding provision in the other bill 
that might otherwise be difficult to discern. 

• The names of titles, sections, and some paragraphs are stated the first time a 
provision from them is discussed in the table — for example, Sec. 103. 

Authorizations for Preventing, Detecting, Analyzing, and Mitigating 
Cybersecurity Threats — but only the number, to the paragraph level or higher, 
is used thereafter. 

• In cases where a provision of PCNA is out of sequence from that immediately 
above it, as much of the provision number is repeated as is needed to make its 
origin clear. For example, on p. 28, a provision from Sec. 103 is described 
immediately after an entry for Sec. 109 and is therefore labelled Sec. 103(c)(3). 

That is followed immediately by an entry labelled (a), which is a subsection of 
Sec. 103 and therefore is not preceded by the section number. 

• Page numbers cited within the table are hyperlinked to the provisions they 
reference in the table; the page numbers themselves refer to pages in the pdf 
version of this report. 

• Explanatory notes on provisions are enclosed in square brackets. Also, the entry 

“[Similar to {bill}]” means that the text in that provision is closely similar in text, 
with no significant difference in meaning, to the corresponding provision in the 
named bill. “[Identical to {bill}]” means that there are no differences in language 
between the text of that provision and the corresponding provision in the named 
bill. A double em-dash ( ) means that the bill has no corresponding provision. 

See the “Glossary of Abbreviations in the Table” for meanings of abbreviations used therein. 



53 This approach was taken for purposes of efficiency and convenience only. CRS does not advocate or take positions 
on legislation or legislative issues. 



Congressional Research Service 



14 



Table I. Side-by-Side Comparison of the Two Titles of H.R. 1560 as Passed by the House — PCNA (Title I) and NCPAA (Title 

II)— and S. 754 (CISA) 



NCPAA 

“To amend the Homeland Security Act of 2002 to 
enhance multi-directional sharing of information related 
to cyber-security risks and strengthen privacy and civil 
liberties protections, and for other purposes.” 

Sec. 20 1 . Short Title 

National Cybersecurity Protection Advancement Act of 
2015 

Sec. 202. National Cybersecurity and 
Communications Integration Center 

Amends Sec. 226 of the HSA (6 U.S.C. 148). [Note: This 
section, added by P.L I 1 3-282, established the National 
Cybersecurity and Communications Integration Center 
and is referred to in the bill as the “second section 226” 
to distinguish it from an identically numbered section 
added by P.L. I 13-277.] 

(a) In General 

Amends existing definitions in 6 U.S.C. 148(a): 

Cybersecurity Risk: Excludes actions solely involving 
violations of consumer terms of service or licensing 
agreements from the definition. 

Incident: Replaces the phrase "or constitutes a violation 
or imminent threat of violation of law, security policies, 
security procedures, or acceptable use policies" with 
“or actually or imminently jeopardizes, without lawful 
authority, an information system.” 

Adds the following definitions: 



PCNA 

“To improve cybersecurity in the United States through 
enhanced sharing of information about cybersecurity 
threats, and for other purposes.” [Note: These two 
official titles have been concatenated in the engrossed 
version of H.R. 1 560.] 

Sec. 101. Short Title 

Protecting Cyber Networks Act 



Sec. I 10. Definitions 



Agency: As in 44 U.S.C. 3502. 



CISA 

[Identical to PCNA] 



Sec. I. Short title; table of contents 

Cybersecurity Information Sharing Act of 20 1 5 



Sec. 2. Definitions 



[Identical to PCNA] 



CRS- 15 



NCPAA 



PCNA 



CISA 



Cyber Threat Indicator: 

Technical information necessary to describe or identify 

- a method for “probing, monitoring, maintaining, or 
establishing network awareness” [defined below] of an 
information system to discern its technical 
vulnerabilities, if the method is known or reasonably 
suspected of association with a known or suspected 
cybersecurity risk, including 

communications that reasonably appear to have “the 
purpose of gathering technical information related to a 
cybersecurity risk ," 

- a method for defeating a security control or technical 
control , 

- “a technical vulnerability including anomalous technical 
behavior that may become a vulnerability,” 

- a method of causing a legitimate user of an information 
system or its contents to 

“inadvertently enable the defeat of a technical or 



Appropriate Federal Entities: Departments of Commerce, 
Defense, Energy, Homeland Security, Justice, and the 
Treasury; and Office of the ODNI. 

Cybersecurity Threat: An action unprotected by the I st 
Amendment to the Constitution that involves an 
information system and may result in unauthorized 
efforts to adversely impact the security, integrity, 
confidentiality, or availability of the system or its 
contents, but not including actions solely involving 
violations of consumer terms of service or licensing 
agreements. 

Cyber Threat Indicator: 

Information or a physical object necessary to describe 
or identify 

- malicious reconnaissance [Note; Definition of this term 
below includes a method, associated with a known or 
suspected cybersecurity threat, for probing or 
monitoring an information system to discern its 
vulnerabilities], including 



anomalous patterns of communications that appear to 
have “the purpose of gathering technical information 
related to a cybersecurity threat or security 
vulnerability ,’’ 

- a method of defeating a security control or exploiting 
a security vulnerability. 

- a security vulnerability or anomalous activity indicating 
the existence of one, 

- a method of causing a legitimate user of an information 
system or its contents to 

unwittingly enable defeat of a security control or 



Antitrust Laws: As in 15 U.S.C. 1 2, 1 5 U.S.C. 45 as it 
“applies to unfair methods of competition,” and state 
laws with the same intent and effect. 

[Identical to PCNA] 

[Similar to PCNA] 

Cyber Threat Indicator: 

Information necessary to describe or identify 
[Identical to PCNA] 

[Identical to PCNA] 

[Identical to PCNA] 

[Identical to PCNA] 

[Identical to PCNA] 



CRS- 16 



NCPAA 



PCNA 



CISA 



operational control,” 

- a method for unauthorized remote identification, 
access, or use of an information system or its contents, 
if the method is known or reasonably suspected of 
association with a known or suspected cybersecurity 
risk, or 

- actual or potential harm from an incident, including 
exfiltration of information; or 

- any other cybersecurity risk attribute that cannot be 
used to identify specific persons believed to be 
unrelated to the risk, and 

disclosure of which is not prohibited by law. 

- any combination of the above. 

Cybersecurity Purpose: 

Protecting 

an information system or its contents from a 
cybersecurity risk or incident or identifying a risk or 
incident source. 

Defensive Measure: 

An “action, device, procedure, signature, technique, or 
other measure applied to an information system” or its 
contents that “ detects , prevents or mitigates a known 
or suspected cybersecurity risk or incident " or 
attributes that could help defeat security controls , 

but not including “a measure that destroys, renders 
unusable, or substantially harms an information system” 
or its contents not operated by that nonfederal entity, 
except a state, local, or tribal government, or by 
another nonfederal or federal entity that consented to 
such actions. 



[Note; No corresponding provision, but Information 



exploitation of a security vulnerability. 

- “malicious cyber command and control,” [Note; 
Definition of this term below includes remote 
identification, access, or use of an information system or 
its contents.] 



[Identical to NCPAA] 



- any other cybersecurity threat attribute the 



disclosure of which is not prohibited by law. 



Cybersecurity Purpose: 

Protecting (including by using defensive measures) 
an information system or its contents from a 
cybersecurity threat or security vulnerability or 
identifying a threat source. 

Defensive Measure: 

An “action, device, procedure, technique, or other 
measure” executed on an information system or its 
contents that “prevents or mitigates a known or 
suspected cybersecurity threat or security 
vulnerability .” 

[No Corresponding Provision; however, the authority 
to operate defensive measures in Sec. 103(b) includes a 
similar restriction; see p. 30]; 



Federal Entity: A U.S. department or agency, or any 
component thereof. 

Information System: As in 44 U.S.C. 3502. 



[Identical to PCNA] 



[Identical to NCPAA] 

[Identical to PCNA] 

[Identical to PCNA] 

- “any combination thereof.” 

Cybersecurity Purpose: 

Protecting 

an information system or its contents from a 
cybersecurity threat or security vulnerability . 

Defensive Measure: 

An “action, device, procedure, signature, technique, or 
other measure” applied to an information system that 
“ detects , prevents or mitigates a known or suspected 
cybersecurity threat or security vulnerability ." 

but not including “a measure that destroys, renders 
unusable, or substantially harms an information system” 
or its contents not operated by that private entity, or 
by another entity or federal entity that consented to 
such actions. 

[Identical to PCNA] 

[Identical to PCNA] 



CRS- 17 



NCPAA 



PCNA 



CISA 



System is already defined in 6 U.S.C. 148 as 44 U.S.C. 
3502.] 



[Note: No corresponding provision, but the definition of 
Cyber Threat Indicator includes a method for 
unauthorized remote identification, access, or use of an 
information system or its contents, provided that the 
method is known or reasonably suspected of 
association with a known or suspected cybersecurity 
risk.] 



Network Awareness: 

Scanning, identifying, acquiring, monitoring, logging, or 
analyzing the contents of an information system. 

[Note: Nonfederal government agencies are not 
expressly defined in the bill but are covered in specific 
provisions] 

Private Entity: 

A nonfederal entity that is an individual , nonfederal 
government utility or “an entity performing utility 
services,” or 

private group, organization, proprietorship, partnership, 
trust, cooperative, corporation, or other commercial or 
nonprofit entity, 

including personnel. 



Local Government: A political subdivision of a state. 

Malicious Cyber Command and Control: “A method for 
unauthorized remote identification of, access to, or use 
of an information system” or its contents. 



Malicious Reconnaissance: A method, associated with a 
known or suspected cybersecurity threat, for probing 
or monitoring an information system to discern its 
vulnerabilities. 

Monitor: 

Scanning, identifying, acquiring, or otherwise possessing 
the contents of an information system. 

Non-Federal Entity: 

A private entity or nonfederal government or agency 
thereof { including personnel - ), but not including foreign 
powers as defined in 50 U.S.C. 1801. 

Private Entity: 

A person , nonfederal government utility, or 



[Identical to NCPAA] 



including personnel, but 

not including a foreign power as defined in 50 U.S.C. 
1801. 

Real Time: Automated, machine-to-machine system 
processing of cyber threat indicators where the 



[Identical to PCNA] 
[Identical to PCNA] 



[Identical to PCNA] 

[Identical to PCNA] 

Entity: 

A private entity or nonfederal government or agency 
thereof, but not including foreign powers as defined in 
50 U.S.C. 1801. 

Private Entity: 

A person , nonfederal government electric utility, or 

[Identical to NCPAA] 

[Identical to PCNA] 

[Identical to PCNA] 



CRS- 18 



NCPAA 



PCNA 



CISA 



Security Control: The management, operational, and 
technical controls used to protect an information 
system and the information stored on, processed by, or 
transiting it against unauthorized attempts to adversely 
affect their confidentiality, integrity, or availability. 



Sharing: “Providing, receiving, and disseminating.” 



(b) Amendment 

Adds tribal governments, private entities, and ISACs as 
appropriate members of the NCCIC in DHS. 

Sec. 203. Information Sharing Structure and 
Processes 



Amends Sec. 226 of the HSA. 



(I) revises the functions of the NCCIC by specifying 
that it is the “lead” federal civilian interface for 
information sharing, adding “cyber threat indicators” 
and “defensive measures” to the subjects it addresses, 
and expanding its functions to include 



occurrence and “reporting or recording” of an event 
are “as simultaneous as technologically and 
operationally practicable.” 

Security Control: The management, operational, and 
technical controls used to protect an information 
system and its information against unauthorized 
attempts to adversely impact their security , 
confidentiality, integrity, or availability. 

Security Vulnerability: “Any attribute of hardware, 
software, process, or procedure that could enable or 
facilitate the defeat of a security control.” 



Tribal: As in 25 U.S.C. 450b. 



Sec. 102. Sharing of Cyber Threat Indicators and 
Defensive Measures by the Federal Government 
With Non-federal Entities 

(a) In General 

Amends Title I of the National Security Act of 1 947 by 
adding a new section. 

‘Sec. III. Sharing of Cyber Threat Indicators 
and Defensive Measures by the Federal 
Government With Non-Federal Entities’ 

‘(a) Sharing by the Federal Government’ 

‘(I)’ requires the DNI, in consultation with the heads of 
appropriate federal entities, to develop and promulgate 
procedures consistent with protection of classified 
information, intelligence sources and methods, and 
privacy and civil liberties, for 



Security Control: The management, operational, and 
technical controls used to protect an information 
system and its information against unauthorized 
attempts to adversely affect their confidentiality, 
integrity, or availability. 

[Identical to PCNA] 



[Identical to PCNA] 



Sec. 3. Sharing of Information by the Federal 
Government 

(a) In General 



Requires the DNI, the Secretaries of Homeland Security 
and Defense, and the AG . in consultation with the heads 
of appropriate federal entities, to develop and 
promulgate procedures consistent with protection of 
classified information, intelligence sources and methods, 
and privacy and civil liberties, for 



CRS- 19 



NCPAA 



PCNA 



CISA 



- providing information and recommendations on 
information sharing, 

- in consultation with other appropriate agencies, 
collaborating with international partners, including on 
enhancing “the security and resilience of the global 
cybersecurity ecosystem,” and 

- sharing “cyber threat indicators, defensive measures,” 
and information on cybersecurity risks and incidents 
with federal and nonfederal entities, including across 
critical-infrastructure (Cl) sectors and with fusion 
centers. 

[Note: See also the provisions on the CTIIC in PCNA, p. 
26.] 

- notify the Secretary, the HSC, and the HSGAC of 
significant violations of privacy and civil liberties 
protections under ‘Sec. 226(i)(6),’ 

- promptly notifying nonfederal entities that have shared 
information known to be in error or in contravention 
to section requirements, 



- participating in DHS-run exercises, and 



timely sharing of classified cyber threat indicators and 
declassified indicators with relevant nonfederal entities, 
and sharing of information about imminent or ongoing 
cybersecurity threats to such entities to prevent and 
mitigate adverse impacts. 



‘(2) Development of Procedures’ 

Requires that procedures for sharing developed by the 
DNI include methods to notify nonfederal entities that 
have received information from a federal entity under 
the title and known to be in error or in contravention 
to title requirements or other federal law or policy. 



Requires that the procedures incorporate existing 
information-sharing mechanisms of federal and 
nonfederal entities, including ISACs, as much as possible, 
and 

include methods to promote efficient granting of 
security clearances to appropriate representatives of 



[Note: See also Sec. 5(c), p. 25, requiring DHS to 
implement the process for sharing electronic threat 
indicators and defensive measures with the federal 
government.] 



timely sharing of (I) classified cyber threat indicators 
and (2) declassified indicators and information with 
relevant entities, (4) sharing of information about 
cybersecurity threats to such entities to prevent and 
mitigate adverse impacts, and(3) sharing with relevant 
entities, or the public as appropriate, of unclassified 
indicators. 



(b) Development of Procedures 

(I) requires that procedures for sharing developed by 
the DNI include methods to notify entities that have 
received information from a federal entity under the bill 
and known to be in error or in contravention to 
requirements in the bill or other federal law or policy. 



[Identical to PCNA] 



CRS - 20 



NCPAA 



PCNA 



CISA 



nonfederal entities. 



(2) requires that the procedures be developed in 

coordination with appropriate federal entities, including 
the National Laboratories, to ensure implementation of 
timely sharing of indicators. 

(2) expands NCCIC membership to include the 

following [Note: all are existing entities]: 

- an entity that collaborates with state and local 

governments on risks and incidents and has a voluntary 

information sharing relationship with the NCCIC, 

- the US-CERT for collaboratively addressing, 

responding to, providing technical assistance upon 

request on, and coordinating information about and 
timely sharing of threat indicators, defensive measures, 
analysis, or information about cybersecurity risks and 
incidents, 

- the ICS-CERT to coordinate with ICS owners and 

operators, provide training on ICS cybersecurity, timely 

share information about indicators, defensive measures, 
or cybersecurity risks and incidents of ICS, and remain 
current on ICS technology advances and best practices, 

- the “National Coordinating Center for 

Communications to coordinate the protection, 

response, and recovery of emergency communications,” 
and 

- “an entity that coordinates with small and medium- 

sized businesses.” 

(3) adds “cyber threat indicators” and “defensive 

measures” to the subjects covered in the principles of 

operation of the NCCIC, 

Sec. 103. Authorizations for Preventing, 

Detecting, Analyzing, and Mitigating 
Cybersecurity Threats 



CRS-21 



NCPAA 



PCNA 



CISA 



Requires that information be shared as appropriate with 
small and medium-sized businesses and that the NCCIC 
make self-assessment tools available to them, 



Specifies that information be guarded against disclosure. 

Stipulates that the NCCIC must work with the DHS 
CPO to ensure that the NCCIC follows privacy and 
civil liberties policies and procedures under ‘Sec. 
226(i)(6)’; 

(4) adds new subsections to Sec. 226 of the HSA: 

‘(g) Rapid Automated Sharing’ 

‘(O’ requires the DHS U/S-CIP to develop capabilities, 
in coordination with stakeholders and based as 
appropriate on existing standards and approaches in the 
information technology industry, that support and 
advance automated and timely sharing of threat 
indicators and defensive measures to and from the 
NCCIC and with SSAs for each Cl sector in accordance 
with ‘Sec. 226(h).’. 

‘(2)’ requires the U/S-CIP to report to Congress twice 
per year on the status and progress of that capability 
until it is fully implemented. 

‘(h) Sector Specific Agencies’ 

Requires the Secretary to collaborate with relevant Cl 
sectors and heads of appropriate federal agencies to 



(f) Small Business Participation 

Requires the Small Business Administration to assist 
small businesses and financial institutions in monitoring, 
defensive measures, and sharing information under the 
section. 

Requires a report with recommendations by the 
administrator to the President within one year of 
enactment on sharing by those institutions and use of 
shared information for network defense. 

Requires federal outreach to those institutions to 
encourage them to exercise the authorities provided 
under the section. 



‘Sec. I I 1(a)(2)’ requires that the procedures ensure 
the capability of real-time sharing consistent with 
protection of classified information. 

[Note; ‘Sec. I I I (b)(2)’ requires procedures to ensure 
such sharing — see p. 24.] 



(I) [Identical to PCNA] 



CRS - 22 



NCPAA 



PCNA 



CISA 



recognize each Cl SSA designated as of March 25, 20 1 5, 
in the DHS National Infrastructure Protection Plan. 
Designates the Secretary as SSA head for each sector 
for which DHS is the SSA. Requires the Secretary to 
coordinate with relevant SSAs to 

- support Cl sector security and resilience activities, 

- provide knowledge, expertise, and assistance on 
request, and 

- support timely sharing of threat indicators and 
defensive measures with the NCCIC. 



‘(i) Voluntary Information Sharing Procedures’ 



‘(b) Definitions’ 

Defines the following terms by reference to Sec. I 10 of 
the title: Appropriate Federal Entities, Cyber Threat 
Indicator, Defensive Measure, Federal Entity, and Non- 
Federal Entity. 

(b) Submittal to Congress 

Requires that the procedures developed by the DNI be 
submitted to Congress within 90 days of enactment of 
the title. 

(c) Table of Contents Amendment 

Revises the table of contents of the National Security 
Act of 1 947 to reflect the addition of 'Sec. III.’ 

Sec. 104. Sharing of Cyber Threat Indicators and 
Defensive Measures with Appropriate Federal 
Entities Other Than the Department of Defense 
or the National Security Agency 

(a) Requirement for Policies and Procedures 

(I) Adds new subsections to ‘Sec. Ill’ of the National 
Security Act of 1947 

‘(b) Policies and Procedures for Sharing with the 
Appropriate Federal Entities Other Than the 
Department of Defense or the National Security 
Agency’ 



(c) Requires that the procedures developed by the DNI 
be submitted to Congress within 60 days of enactment 
of the bill. 



Sec. 5. Sharing of Cyber Threat Indicators and 
Defensive Measures with the Federal 
Government 

(a) Requirement for Policies and Procedures 



CRS-23 



NCPAA 



PCNA 



CISA 



‘(I)’ permits voluntary information-sharing relationships 
for cybersecurity purposes between the NCCIC and 
nonfederal entities but prohibits requiring such an 
agreement. 

Permits the NCCIC, at the sole and unreviewable 
discretion of the Secretary, acting through the U/S-CIP, 
to terminate an agreement for repeated, intentional 
violation of the terms of ‘(i).’ 

Permits the Secretary, solely and unreviewably and 
acting through the U/S-CIP, to deny an agreement for 
national security reasons. 

‘(2)’ permits the relationship to be established through 
a standard agreement for nonfederal entities not 
requiring specific terms. 

Stipulates negotiated agreements with DHS upon 
request of a nonfederal entity where NCCIC has 
determined that they are appropriate, and at the sole 
and unreviewable discretion of the Secretary, acting 
through the U/S-CIP. 

Stipulates that any agreement in effect prior to 
enactment of the title will be deemed in compliance 
with requirements in ‘(i).’ Requires that those 
agreements include “relevant privacy protections as in 
effect” under the CRADA for Cybersecurity 
Information Sharing and Collaboration, as of December 
3 I st 20 1 4.” Also stipulates that an agreement is not 
required for an entity to be in compliance with ‘(i).’ 

‘(2)’ requires that the policies and procedures be 

developed in accordance with the privacy and civil 
liberties guidelines under Sec. 104(b) of the title, and 
ensure 

- real-time sharing of indicators from nonfederal entities 

with appropriate federal entities except POD , 

- receipt without delay except for good cause , and 



‘(I)' requires the President to develop and submit to 
Congress policies and procedures for federal receipt of 
cyber threat indicators and defensive measures. 



(I) requires the AG. in coordination with heads of 
appropriate agencies , to develop and submit to 
Congress policies and procedures for federal receipt of 
cyber threat indicators and defensive measures. 



(3) requires that, consistent with the privacy and civil 
liberties guidelines under Sec. (b), the policies and 
procedures ensure 

- automated sharing of indicators from any entity with 
the federal government through the real-time process 
under (c), 

- real-time receipt without delay, with 



CRS - 24 



NCPAA 



PCNA 



CISA 



[Note: See also Sec. 203, p. 19, specifying the DHS 
NCCIC as the lead federal civilian interface for 
information sharing.] 



- provision to all relevant federal entities, 



- audit capability, and 

- appropriate sanctions for federal personnel who 
knowingly and willfully use shared information other 
than in accordance with the title . 

(2) requires that an interim version of the policies and 
procedures be submitted to Congress within 90 days of 
enactment of the title, and the final version within 180 
days. 



- provision permitted to other federal entities, and 

- if not through the process under (c), sharing “as 
quickly as operationally practicable,” without 
unnecessary delay, and also ensure 

- audit capability, and 

- appropriate sanctions for federal personnel who 
knowingly and willfully conduct activities under the bill 
in an unauthorized manner . 

( I ) requires that an interim version of the policies and 
procedures be submitted to Congress within 60 days of 
enactment of the title, and (2) the final version within 
1 80 days. 

(4) requires the AG to develop public guidelines on 
matters appropriate to assist and promote sharing of 
threat indicators with federal entities, including 
identification of kinds of information constituting 

- indicators unlikely to include personal information, 

- information protected under privacy laws that is 
unlikely to be directly related to a threat. 

(c) Capability and Process Within the 
Department of Homeland Security 

(I) requires the Secretary to develop and implement, 
within 90 days of enactment, a capability and process 
within DHS that will 

- accept indicators and defensive measures in real time 
from any entity, and upon certification under (2), 

- be the process for federal receipt of indicators and 
defensive measures from private entities through 
electronic means, except for previously shared 
indicators and communications about cybersecurity 
threats by a regulated entity with its federal regulatory 
authority, 

- ensure automated receipt by federal entities of 



CRS - 25 



NCPAA 



PCNA 



CISA 



indicators shared in real time with DHS, 

- comply with section policies, procedures, and 

guidelines, 

- not limit or prohibit otherwise lawful disclosures, 

including reporting of criminal activity, participating in a 
federal investigation, and providing indicators or 
measures under a statutory or contractual requirement. 

( 2 ) requires the Secretary, in consultation with the 

heads of appropriate federal agencies, to certify to 
Congress at least 10 days before implementation 
whether the capability and process operates as the 
process for receipt of indicators and measures from any 
entity in accordance with section policies, procedures, 
and guidelines. 

(3) requires the Secretary to ensure public notice of 

and access to the process so that entities may share 
indicators and measures through it and federal entities 
receive them in real time. 

( 4 ) requires the process under (I) to ensure timely 

receipt by federal entities of shared indicators and 
measures. 

( 5 ) requires an unclassified report, which may include a 

classified annex, to Congress by the Secretary within 60 
days of enactment on development and implementation 
of requirements in (I) and (3). 

(c) National Cyber Threat Intelligence 

Integration Center 

(I) Adds a new section to the National Security Act of 

1947. 

‘Sec. I 1 9B. Cyber Threat Intelligence 

Integration Center’ 

‘(a) Establishment’ 



CRS - 26 



NCPAA 



PCNA 



CISA 



‘(3) Information Sharing Authorization’ 



Permits nonfederal entities to share, for cybersecurity 
purposes, cyber threat indicators, and defensive 
measures, from their own information systems or those 
of other entities upon written consent, 

with other nonfederal entities or the NCCIC , 



Establishes the CTIIC within the ODNI. 

‘(b) Director’ 

Creates a director for the CTIIC, to be appointed by 
the DNI. 

‘(c) Primary Missions’ 

Specifies the missions of the CTIIC with respect to 
cyberthreat intelligence as 

- serving as the primary federal organization for 
analyzing and integrating it, 

- ensuring full access and support of appropriate 
agencies to activities and analysis, 

- disseminating analysis to the President, appropriate 
agencies, and Congress, 

- coordinating agency activities, and 

- conducting strategic federal planning. 

‘(d) Limitations’ 

Requires that the CTIIC 

- have no more than 50 permanent positions, 

- may not augment staff above that limit in carrying out 
its primary missions, and 

- be located in a building owned and operated by an 
element of the 1C, 

(4) revises the table of contents of the National 
Security Act of 1947. 

Sec. 103(c) Authorization for Sharing or 
Receiving Cyber Threat Indicators or Defensive 
Measures 

(I) permits nonfederal entities to share, for 
cybersecurity purposes and consistent with privacy 
requirements under fdff2f and protection of classified 
information , lawfully obtained cyber threat indicators or 
defensive measures 

with other nonfederal entities or appropriate federal 



Sec. 4(c) Authorization for Sharing or Receiving 
Cyber Threat Indicators or Defensive Measures 

(I) permits entities to share, “for the purposes 
permitted under this Act and consistent with protection 
of classified information" , cyber threat indicators or 
defensive measures 

with any entity or the federal government, 



CRS - 27 



NCPAA 



PCNA 



CISA 



notwithstanding any other provision of law, 

except that nonfederal recipients must comply with 
lawful restrictions on sharing and use imposed by the 
source. 



Requires reasonable efforts by nonfederal and federal 
entities, prior to sharing , to 

safeguard personally identifying information from 
unintended disclosure or unauthorized access or 
acquisition and 

remove or exclude such information where it is 
reasonably believed when it is shared to be unrelated to 
a cybersecurity risk or incident . 



Stipulates that nothing in ‘(3V 

- limits or modifies an existing information sharing 
relationship or prohibits or requires a new one, 



entities except POD , 

notwithstanding any other provision of law, 

(2) [Similar to NCPAA], 

(d) Protection and Use of Information 

(2) requires reasonable efforts by nonfederal entities, 
before sharing a threat indicator , to 



remove information reasonably believed to be personal 
or personally identifying of a specific person not directly 
related to a cybersecurity threat , or 
implement a technical capability for removing such 
information. 

Sec. 109. Construction and Preemption 
(f) Information Sharing Relationships 

Stipulates that nothing in the title 

- (I) limits or modifies an existing information sharing 
relationship or (2) prohibits or requires a new one. 



Sec. 103(c)(3) stipulates that nothing in (c) 



- authorizes information sharing other than as provided 
in (c), 

- permits unauthorized sharing of classified information, 

- authorizes federal surveillance of any person, 

- prohibits a federal entity, at the request of a 
nonfederal entity, from technical discussion of threat 



notwithstanding any other provision of law, 

(2) [Similar to NCPAA], 

(d) Protection and Use of Information 

(2) requires entities, before sharing a threat indicator , 
to 



remove information known to be personal or personally 
identifying of a specific person not directly related to a 
cybersecurity threat , or 

implement and use a technical capability for removing 
such information. 

Sec. 8. Construction and Preemption 
(f) Information Sharing Relationships 

Stipulates that nothing in the bill 
[Similar to PCNA], or 

requires use of the DHS sharing process under Sec. 5(c) 
[p. 25], 

Sec. 4(c)(3) stipulates that nothing in (c) 

[Identical to PCNA] 



CRS - 28 



NCPAA 



PCNA 



CISA 



- limits otherwise lawful activity, or 

- impacts or modifies existing procedures for reporting 
criminal activity to appropriate law enforcement 
authorities, or participating in an investigation. 

Requires the U/S-CIP to coordinate with stakeholders 
to develop and implement policies and procedures to 
coordinate disclosures of vulnerabilities as practicable 
and consistent with relevant international industry 
standards. 

‘(4) Network Awareness Authorization’ 

permits nonfederal, nongovernment entities, 
notwithstanding any other provision of law, to conduct 
network awareness , for cybersecurity purposes and to 
protect rights or property , of 

- its own information systems, 

- with written consent, information systems of a 
nonfederal or federal entity, or 

- the contents of such systems. 

Stipulates that nothing in ‘(4)’ 

- authorizes network awareness other than as provided 
in the section, or 

- limits otherwise lawful activity, 



‘(5) Defensive Measure Authorization’ 



indicators and defensive measures and assistance with 
vulnerabilities and threat mitigation, 

- prohibits otherwise lawful sharing by a nonfederal 
entity of indicators or defensive measures with DOD, 
or 

[Similar to NCPAA] 



(a) Authorization for Private-Sector Defensive 
Monitoring 

(I) permits private entities, notwithstanding any other 

provision of law, to 

monitor , for cybersecurity purposes, 



[Similar to NCPAA], 
[Similar to NCPAA], or 



[Similar to NCPAA]. 

(2) Stipulates that nothing in (a) 

- authorizes monitoring other than as provided in the 
title . 

[Similar to NCPAA], 

- authorizes federal surveillance of any person. 

(b) Authorization for Operation of Defensive 
Measures 



[Identical to PCNA] 



(a) Authorization for Monitoring 

[Similar to PCNA], 

[Identical to PCNA], 

[Similar to NCPAA], or 

[Identical to PCNA]. 

[Identical to NCPAA], 

[Similar to PCNA]. 



(b) Authorization for Operation of Defensive 
Measures 



CRS - 29 



NCPAA 



PCNA 



CISA 



permits nonfederal . nongovernment entities to operate 
defensive measures, for cybersecurity purposes and to 
protect rights or property, that are applied to 

- its own information systems, 

- with written consent , information systems of a 
nonfederal or federal entity, or 



- the contents of such systems, 

notwithstanding any other provision of law, except that 
measures may not be used except as authorized in the 
section , and ‘(5V does not limit otherwise lawful activity. 

[No Corresponding Provision; however, the definition 
of defensive measure in Sec. 202(a) includes a similar 
restriction; see p. 1 7.] 



‘(6) Privacy and Civil Liberties Protections’ 

Requires the U/S-CIP . 

in coordination with the DHS CPO and Chief Civil 
Rights and Civil Liberties Officer, 

to establish and review annually policies and procedures 
on information shared with the NCCIC under the 



(I) permits private entities to operate defensive 
measures, for a cybersecurity purpose and to protect 
rights or property, that are operated on 

[Similar to NCPAA], or 

- with written authorization , information systems of a 
nonfederal or federal entity, or 



(1) notwithstanding any other provision of law, except 
(3) that measures may not be used except as 
authorized in (b), and (b) does not limit otherwise 
lawful activity. 

(2) stipulates that (I) does not authorize operation of 
defensive measures that destroy, render wholly or 
partly unusable or inaccessible, or substantially harm an 
information system or its contents not owned by either 
the private entity operating the measure or a nonfederal 
or federal entity that provided written authorization to 
that private entity. 

(e) No Right or Benefit 

Stipulates that sharing of indicators with a nonfederal 
entity creates no right or benefit to similar information 
by any nonfederal entity. 



Sec. 1 04(b) Privacy and Civil Liberties 

(I) requires the AG . 

in consultation with appropriate federal agency heads 
and agency privacy and civil liberties officers, 



to develop and review periodically guidelines on privacy 
and civil liberties to govern federal handling of cyber 



(I) permits private entities to operate defensive 
measures, for cybersecurity purposes and to protect 
rights or property, that are applied to 

[Similar to NCPAA] 

- with written consent , information systems of another 
entity, or 

a federal entity with written consent of an authorized 
representative 



(1) notwithstanding any other provision of law, except 

(2) [Identical to PCNA], 



[No Corresponding Provision; however, the definition 
of defensive measure in Sec. 2 includes a similar 
restriction; see p. 17.] 



(f) No Right or Benefit 

Stipulates that sharing of indicators with an entity 
creates no right or benefit to similar information by any 
entity. [Note; Definition of entity in CISA is similar to 
definition of nonfederal entity in PCNA; see p. 18.] 

Sec. 5(b) Privacy and Civil Liberties 

(I) requires the AG , 

in coordination with appropriate federal entity heads 
and in consultation with agency privacy and civil liberties 
officers, 

to develop interim guidelines on privacy and civil 
liberties to govern federal handling of cyber threat 



CRS - 30 



NCPAA 



PCNA 



CISA 



section. 

[Note: No requirement for interim policies and 
procedures] 



Requires that they apply only to DHS, consistent with 
the need for timely protection of information systems 
from and mitigation of cybersecurity risks and incidents , 
the policies and procedures 

- be consistent with DHS FIPPs, 



- “ reasonably limit, to the extent practicable, receipt, 
retention, use, and disclosure of cybersecurity threat 
indicators and defensive measures associated with 
specific persons ’’ not needed for timely protection of 
systems and networks, 



- minimize impacts on privacy and civil liberties, 



threat indicators obtained through the title’s provisions. 



[Note: No distinction between requirements for interim 
and final versions of the guidelines] 



(2) requires that, consistent with the need for 
protection of information systems and threat mitigation, 
the guidelines 



- be consistent with FIPPs in the White House National 
Strategy for Trusted Identities in Cyberspace [Note: The 
two versions of the principles are identical, except that 
the DHS version applies the principles to DHS whereas 
the White House document applies them to 
“organizations”], 

- limit receipt, retention, use, and dissemination of 
cybersecurity threat indicators containing personal 
information of or identifying specific persons . 



including by establishing processes for prompt 
destruction of information known not to be directly 
related to uses for cybersecurity purposes , setting 
limitations on retention of indicators, and notifying 
recipients that indicators may be used only for 
cybersecurity purposes, and, 

- limit impacts on privacy and civil liberties of federal 
activities under the title, including 



indicators obtained through the bill’s provisions: 

(2) in coordination with appropriate federal entity 
heads and in consultation with agency privacy and civil 
liberties officers and relevant private entities with 
industry expertise . 

to promulgate, and review periodically in coordination 
with appropriate agency heads and consultation with 
agency privacy and civil liberties officers and relevant 
private entities, final g uidelines on privacy and civil 
liberties to govern federal handling of cyber threat 
indicators obtained through the bill’s provisions 

(3) [Similar to PCNA] 



(a) (3) requires that, consistent with the bill, applicable 
provisions of law and the FIPPs in the White House 
National Strategy for Trusted Identities in Cyberspace 
govern federal retention, use, and dissemination of 
information shared with the federal government under 
the bill; 

(b) (3) [Similar to PCNA], 



including by establishing processes for timely 
destruction of information known not to be directly 
related to uses under the title , and setting limitations on 
retention of indicators, and requiring that recipients be 
informed that indicators may be used only for purposes 
authorized under the bill, 

- limit impacts on privacy and civil liberties of federal 
activities under the bill, 



CRS-31 



NCPAA 



PCNA 



CISA 



- provide data integrity through prompt removal and 
destruction of obsolete or erroneous personal 
information unrelated to the information shared and 
retained by the NCCIC in accordance with this section, 

- include requirements to safeguard from unauthorized 
access or acquisition cyber threat indicators and 
defensive measures retained by the NCCIC, 

identifying specific persons, including proprietary or 
business-sensitive information , 

- protect the confidentiality of cyber threat indicators 
and defensive measures associated with specific persons , 
to the greatest extent practicable, 

- ensure that relevant constitutional, legal, and privacy 
protections are observed. 



Stipulates that the U/S-CIP may consult with NIST in 
developing the policies and procedures. 

Requires the DHS CPO and the Officer for Civil Rights 
and Civil Liberties, in consultation with the PCLOB, to 
submit to appropriate congressional committees 

the policies and procedures within 180 days of 
enactment and annually thereafter. 

Requires the U/S-CIP, in consultation with the PCLOB 
and the DHS CPO and Chief Civil Rights and Civil 
Liberties Officer, to ensure public notice of and access 
to the policies and procedures. 



guidelines for removal of personal and personally 
identifying information handled by federal entities under 
the title, 



- include requirements to safeguard from unauthorized 
access or acquisition cyber threat indicators 



containing personal information of or identifying specific 
persons, 



- be consistent with other applicable provisions of law, 



- include procedures to notify entities if a federal entity 
receiving information knows that it is not a cyber threat 
indicator, 

- include steps to ensure that dissemination of 
indicators is consistent with the protection of classified 
and other sensitive national security information. 



(3) requires the AG to submit to Congress 



interim guidelines within 90 days of enactment and final 
guidelines within 180 days. 



[Identical to PCNA] 



[Identical to PCNA] 

- protect the confidentiality of cyber threat indicators 
containing personal information of or identifying specific 
persons , to the greatest extent practicable, 

[See (a)(3), p. 3 1 , stating that applicable provisions of 
law will govern information sharing activities, consistent 
with the bill], 

[Similar to PCNA], 



[Similar to PCNA]. 



Requires the AG to submit to Congress 



( 1 ) interim guidelines within 60 days of enactment and 

(2) final guidelines within 180 days. 

(I) requires the AG to make the interim guidelines 
available to the public. [Note: There is no similar 
requirement for the final guidelines.] 



CRS - 32 



NCPAA 



PCNA 



CISA 



Requires the DHS CPO to 

- monitor implementation of the policies and 
procedures, 

- submit to Congress an annual review on their 
effectiveness, 

- work with the U/S-CIP to carry out provisions in ‘(c)’ 
on notification about violations of privacy and civil 
liberties policies and procedures and about information 
that is erroneous or in contravention of section 
requirements, 

- regularly review and update impact assessments as 
appropriate to ensure that all relevant protections are 
followed, and 

- ensure appropriate sanctions for DHS personnel who 
knowingly and willfully conduct unauthorized activities 
under the section. 



Requires the DHS IG, in consultation with the PCLOB 
and IGs of other agencies receiving shared indicators or 
defensive measures from the NCCIC, to submit a 
report to HSC and HSGAC within two years of 
enactment and periodically thereafter reviewing such 
information, including 

- receipt, use, and dissemination of cybersecurity 
indicators and defensive measures shared with federal 
entities under the section . 

- information on NCCIC use of such information for 
purposes other than cybersecurity, 

- types of information shared with the NCCIC . 

- actions taken by NCCIC based on shared information : 



(2) requires that the AG’s guidelines include 
appropriate sanctions for federal activities in 
contravention of them. [Note: The provision does not 
specify whether these sanctions are limited to violation 
of requirements for safeguarding information or the 
guidelines as a whole.] 

Sec. 107. Oversight of Government Activities 

(b) Reports on Privacy and Civil Liberties. 

(2) requires the IGs of DHS, the 1C, DOJ, and DOD, in 
consultation with the IG Council, to jointly submit a 
report to Congress within two years of enactment and 
biennially thereafter , on 



- receipt, use, and dissemination of cybersecurity 
indicators and defensive measures shared with federal 
entities under the title . 



- types of indicators shared with federal entities . 

- actions taken by federal entities as a result of receiving 



(b)(3) [Identical to PCNA] 



Sec. 7. Oversight of Government Activities 

(b) Reports on Privacy and Civil Liberties. 

(2) requires the IGs of DHS, the 1C, DOJ, DOD, and 
the Department of Energy , in consultation with the IG 
Council, to jointly submit a biennial report to Congress 
on 

[Similar to PCNA], 



[Identical to PCNA], 
[Identical to PCNA], 



CRS - 33 



NCPAA 



PCNA 



CISA 





shared indicators. 




- metrics to determine impacts of sharing on privacy 
and civil liberties, 






- a list of federal agencies receiving the information. 


- a list of federal entities receiving the indicators. 


[Identical to PCNA], and 


- review of sharing of information within the federal 
government to identify inappropriate stovepiping of 
shared information, and 


- review of sharing of indicators among federal entities 
to identify inappropriate barriers to sharing information. 


[Identical to PCNA]. 




- procedures for sharing information and removal of 
personal and identifying information, and incidents 
involving improper treatment of it, and 




- recommendations for improvements or modifications 
to sharing under the section. 


- recommendations for improvements or modifications 
to authorities under the title. 


(3) permits inclusion of recommendations for 
improvements or modifications to authorities under the 
bill. 




Requires that the reports be submitted in unclassified 
form but permits a classified annex. 


(4) [Similar to PCNA], 




Requires public availability of unclassified parts of the 
reports. 






( 1 ) adds a new paragraph to Sec. 1 06 1 (e) of the 
Intelligence Reform and Terrorism Prevention Act of 
2004: 




Reauires the DHS CPO and Chief Civil Rights and Civil 
Liberties Officer, in consultation with the PCLOB, the 
DHS IG, and senior privacy and civil liberties officers of 
each federal agency receiving indicators or defensive 
measures shared with the NCCIC, to 


‘( 3 V requires the PCLOB to 


(1) [Similar to PCNA] 


submit a biennial report to Congress 


submit a biennial report to Congress and the President 


[Similar to PCNA] 


assessing impacts on privacy and civil liberties of federal 
activities under ‘(6)’, including 


assessing impacts of activities under the title on and 
sufficiency of policies, procedures, and guidelines in 
addressing concerns about privacy and civil liberties, 
including 


assessing effects of the types of activities under on the 
bill on and sufficiency of policies, procedures, and 
guidelines in addressing concerns about privacy and civil 
liberties. 


recommendations to minimize or mitigate such impacts. 


recommendations for improvements or modifications to 
authorities under the title. 


(3) permits inclusion of recommendations for 
improvements or modifications to authorities under the 



CRS - 34 



NCPAA 



PCNA 



CISA 



Requires that the two reports be submitted 
unclassified form but permits a classified ann 



in Requires that the reports be submitted in unclassified 

ex. form but permits a classified annex. 

Requires public availability of unclassified parts of the 
reports. 

(a) Biennial Report on Implementation 

(I) Adds to ‘Sec. Ill’ of the National Security Act 

‘(c) Biennial Report on Implementation’ 

‘(I)’ requires the DNI to submit a report to Congress 
on implementation of the title, (2) within one year of 
enactment and ‘(I)’ at least biennially thereafter, 

‘(2)’ including 



- review of types of indicators shared with the federal 
government, 

- the degree to which such information may impact 
privacy and civil liberties of specific persons, along with 
quantitative and qualitative assessment of such impacts 
and adequacy of federal efforts to reduce them, 

- assessment of sufficiency of policies, procedures, and 
guidelines to ensure effective and responsible sharing 
under Sec. 4 [sic] of PCNA, 



- sufficiency of procedures under Sec. 3 [sic] for timely 
sharing [Note: References ‘Sec. I I 1(a)(1)’ as added by 
the title; see p. 20], 

- appropriateness of classification of indicators and 
accounting of security clearances authorized, 

- federal actions taken based on shared indicators, 
including appropriateness of subsequent use or 



ML 

( 4 ) [Similar to PCNA], 



(a) Biennial Report on Implementation 



(I) requires joint reports to Congress from 

- the heads of appropriate federal agencies and 

- the IGs of DHS, the 1C, DOJ, DOD, and the 
Department of Energy, in consultation with the IG 
Council on implementation of the bill, within one year 
of enactment and at least biennially thereafter, including 

[Similar to PCNA], 

[Identical to PCNA], 



- assessment of sufficiency of policies, procedures, and 
guidelines to ensure effective and responsible sharing 
under Sec. 5, 

- effectiveness of real-time sharing under Sec. 5(c). 

- sufficiency of procedures under Sec. 3 for timely 
sharing, 

[Similar to PCNA], 

[Similar to PCNA], 



CRS - 35 



NCPAA 



PCNA 



CISA 



‘(7) Uses and Protection of Information’ 
[Nonfederal Entities] 

Permits a nonfederal, nongovernment entity that shares 
indicators or defensive measures with the NCCIC to 

use, retain, or disclose indicators and defensive 



dissemination under the title, 

- description of any significant federal violations of the 
requirements of the title, including assessments of all 
reports of federal personnel misusing information 
provided under the title and all disciplinary actions 
taken, and 

- a summary of the number and types of nonfederal 
entities receiving classified indicators from the federal 
government and evaluation of risks and benefits of such 
sharing. 

- assessment of personal or personally identifying 
information not directly related to a threat that was 
shared by a nonfederal entity with the federal 
government in contravention to Sec. 3(d)(2) or within 
the government in contravention of Sec. 4(b) guidelines. 
[Note: Intended reference to Sec. 103 and 104 
respectively.] 

‘(3)’ permits reports to include recommendations for 
improvements or modifications to authorities and 
processes under the title. 

‘(4)’ requires that the reports be submitted in 
unclassified form but permits a classified annex. 

‘(5)’ requires public availability of unclassified parts of 
the reports. 

Sec. 103. Authorizations for Preventing, 
Detecting, Analyzing, and Mitigating 
Cybersecurity Threats 

(d) Protection and Use of Information 



(3) permits a nonfederal entity [Note: including 
government entities ], for a cybersecurity purpose, to 

use an “indicator or defensive measure shared or 
received under this section to monitor or operate a 



- description of any significant federal violations of the 
requirements of the title, 



[Similar to PCNA], 



[Similar to PCNA]. 



[Similar to PCNA]. 



Sec. 4. Authorizations for Preventing, Detecting, 
Analyzing, and Mitigating Cybersecurity Threats 

(d) Protection and Use of Information 

(3) permits an entity [Note: including government 
entities] , for cybersecurity purposes, to 

use indicators or defensive measure shared or received 
under this section to monitor or operate a defensive 



CRS - 36 



NCPAA 



PCNA 



CISA 



measures, solely for cybersecurity purposes. 



Requires reasonable efforts prior to sharing to 
safeguard personally identifying information from 
unintended disclosure and unauthorized access or 
acquisition, and remove or exclude such information 
where it is reasonably believed when shared to be 
unrelated to a cybersecurity risk or incident. 

Requires compliance with appropriate restrictions on 
subsequent disclosure or retention placed by a federal 
or nonfederal entity on indicators or defensive 
measures disclosed to other entities. 

Stipulates that the information shall be deemed 
voluntarily shared. 

Requires implementation and utilization of security 
controls to protect against unauthorized access or 
acquisition. 

Prohibits use of such information to gain an unfair 
competitive advantage. 

[Federal Entities] 

Permits federal entities receiving indicators or defensive 
measures from the NCCIC or otherwise under the 
section to use, retain, or further disclose it solely for 

cybersecurity purposes. 



defensive measure on” its own information systems or 
those of other nonfederal or federal entities upon 
written authorization from them, with 

[See (2), p. 28, describing requirements for removal of 
personal information]. 



further use, retention, or sharing subject to lawful 
restrictions by the sharing entity or otherwise applicable 
provisions of law. 



(I) requires implementation of appropriate security 
controls to protect against unauthorized access or 
acquisition. [Note: Also applies to nonfederal 
government entities.] 



Sec. 104(d) Information Shared with or Provided 
to the Federal Government 

(S) permits federal entities or personnel receiving 
indicators or defensive measures under the title to, 
consistent with otherwise applicable provisions of 
federal law, use, retain, or disclose it solely for 

a cybersecurity purpose, 



measure on its own information systems or those of 
other entities upon written consent from them, with 

[See (2), p. 28, describing requirements for removal of 
personal information]. 



[Similar to PCNA]. 



(I) Requires implementation and utilization of security 
controls to protect against unauthorized access or 
acquisition. [Note: Also applies to nonfederal 
government entities.] 



(3) Prohibits use of such information other than as 
authorized in (df . 

Sec. 5(d) Information Shared with or Provided 
to the Federal Government 

(5) [Similar to PCNA] 



[Identical to PCNA] 

identifying a cybersecurity threat, 

- including a source or vulnerability, 

- use of an information system by a foreign adversary of 
terrorist, 



CRS - 37 



NCPAA 



PCNA 



CISA 



[Note: Sec. 216 (see p. 53) permits use of information 
obtained from federal systems for investigating . 
prosecuting , disrupting , or otherwise responding to 

imminent threats of death or serious bodily harm 



serious threats to minors, including sexual exploitation 
or threats to physical safety, and 

violations of 18 U.S.C. 1030 [computer fraud], or 



attempts or conspiracy to commit the above offenses.] 



Requires reasonable efforts prior to sharing to 
safeguard personally identifying information from 
unintended disclosure and unauthorized access or 
acquisition, and remove or exclude such information 
where it is reasonably believed when shared to be 
unrelated to a cybersecurity risk or incident. 



Requires implementation and utilization of security 
controls to protect against unauthorized access or 



“responding to, investigating , prosecuting , or otherwise 
preventing or mitigating’’ 



threats of death or serious bodily harm or offenses 
arising out of such threats, 



“a serious threat to a minor, including sexual 
exploitation and threats to physical safety,” and 

- preventing, investigating, disrupting, or prosecuting 
offenses listed in 18 U.S.C. 1028-30, 3559(c)(2)(F), and 
Ch. 37 and 90 [computer fraud and identity theft, 
espionage and censorship, protection of trade secrets, 
and serious violent felonies]. 



Prohibits federal disclosure, retention, or use for any 
purpose not permitted under (5). 

Stipulates that the policies, procedures, and guidelines in 
(a) [on provision of information to the federal 
government] and (b) [on privacy and civil liberties] of 
the title apply to such information. 



‘Sec. I I 1(a)(2)’ requires that procedures for sharing 
developed include methods for federal entities to 
assess, prior to sharing, whether an indicator contains 
information known to be personal or personally 
identifying of a specific person and to remove such 
information, or to implement a technical capability to 
remove or exclude such information. 

‘Sec. I I 1(a)(2)’ requires that procedures for sharing 
developed by the DNI include requirements for federal 



“responding to or otherwise preventing or mitigating” 



imminent threats of death or serious bodily harm or 

“serious economic harm, including a terrorist act or a 
use of a weapon of mass destruction,” 

[Identical to PCNA], 

[Similar to PCNA] or 



[Similar to PCNA]. 

Stipulates that the policies, procedures, and guidelines in 
(a) and (b) apply to such information, that confidentiality 
of personal or personally identifying information in 
indicators must be protected and the information 
protected from unauthorized use or disclosure. 

Sec. 3(b)(1) requires that procedures for sharing 
developed include methods for federal entities to 
assess, prior to sharing, whether an indicator contains 
information known to be personal or personally 
identifying of a specific person and to remove such 
information, or to implement and utilize a technical 
capability to remove such information. 

Sec. 3(b)(1) requires that procedures for sharing 
developed by the DNI include requirements for federal 



CRS - 38 



NCPAA 



PCNA 



CISA 



acquisition. 



Prohibits use in surveillance or collection activities to 
track an individual’s personally identifiable information 
except as authorized in the section. 

Stipulates that the indicators and defensive measures 
shared from a federal or nonfederal entity under the 
section shall be deemed to have been voluntarily shared. 

Stipulates that the information is exempt from 
disclosure under 5 U.S.C. 552 [the Freedom of 
Information Act (FOIA)] or nonfederal disclosure laws 
and withheld, without discretion, from the public under 
5 U.S.C. 552(3)(B). 



Prohibits federal use for regulatory purposes. 



Specifies that there is no waiver of applicable privilege 
or protection under law, including trade-secret 
protection; 

Requires that the information be considered the 
commercial, financial, and proprietary information of the 
nonfederal entity when so designated by it. 



entities to implement security controls to protect 
against unauthorized access to or acquisition of shared 
information. 

Sec. 109(a) Prohibition of Surveillance 

Stipulates that the title does not authorize DOD or any 
element of the 1C to target a person for surveillance. 



Sec. 104(d)(3) stipulates that an indicator or defensive 
measure provided to the federal government under the 
bill shall be deemed voluntarily shared information. 

Stipulates that the information is exempt from 
disclosure under FOIA or nonfederal disclosure laws 
and withheld, without discretion, from the public under 
5 U.S.C. 552(3)(B), 



except for information requiring disclosure in criminal 
prosecutions. 

[Note; No specific corresponding prohibition, but Sec. 
104(d)(5) above prohibits federal disclosure, retention, 
or use for any purpose other than those specified in the 
paragraph.] 



(I) [Similar to NCPAA], 



(2) requires that, consistent with the title , the 
information be considered the commercial, financial, and 
proprietary information of the originating nonfederal 
source , when so designated by such source or 
nonfederal entity acting with written authorization from 
it. 



entities to implement and utilize security controls to 
protect against unauthorized access to or acquisition of 
shared information. 



Sec. 5(d)(3) stipulates that indicators and defensive 
measure provided to the federal government under the 
bill shall be deemed voluntarily shared information.. 

[Similar to PCNA]. 



(5) prohibits federal or nonfederal use to regulate 
lawful activities of an entity, including enforcement 
actions and activities relating to monitoring, defense, or 
sharing of indicators, except to inform development or 
implementation of authorized regulations relating to 
prevention or mitigation of threats to information 
systems and to procedures under the bill. 

(I) [Similar to NCPAA], 



(2) requires that, consistent with Sec. 4(c)(2f , the 
information be considered the commercial, financial, 
and proprietary information of the entity providing it , 
when so designated by the originating entity or third 
party acting with written authorization from it. 



CRS - 39 



NCPAA 



PCNA 



CISA 



Stipulates that the information is not subject to judicial 
doctrine or rules of federal entities on ex-parte 
communications. 

[Nonfederal Government Entities] 

Permits state, local, and tribal government to 



use, retain, or further disclose indicators or defensive 
measures shared under the section solely for. 

cybersecurity purposes. 



Requires reasonable efforts prior to sharing to 
safeguard personally identifying information from 
unintended disclosure and unauthorized access or 
acquisition, and remove or exclude such information 
where it is reasonably believed when shared to be 
unrelated to a cybersecurity risk or incident. 

Stipulates that the information be considered 
“commercial, financial, and proprietary” if so designated 
by the provider. 



(4) [Similar to NCPAA] 



[Note: See also Nonfederal Entities, p. 36.] 

Sec. 103(d)(4) permits state, local, and tribal 
government entities 



to use shared cyber threat indicators for [Note: 
Purposes below are included by reference to specified 
provisions in Sec. 104(d)(5)] 

a cybersecurity purpose, 

“responding to, investigating, prosecuting, or otherwise 
preventing or mitigating” 

“a threat of death or serious bodily harm or an offense 
arising out of such a threat,” or 



“a serious threat to a minor, including sexual 
exploitation and threats to physical safety.” 



[See (2), p. 28, describing requirements for removal of 
personal information.] 



[Note: Sec. 103(d)(3) stipulates that further use, 
retention, or sharing of information received by a 
nonfederal entity is subject to lawful restrictions by the 
sharing entity or otherwise applicable provisions of law. 
See Nonfederal Entities, p. 36.] 



(4) [Similar to NCPAA] 



[Note: See also Nonfederal Entities, p. 36.] 

Sec. 4(d)(4) permits state, local, and tribal government 
entities, with prior written consent of sharing entity or 
oral consent in exigent circumstances . 

to use shared cyber threat indicators for [Note: included 
by reference to specified provisions in Sec. 5(d)(5)] 



investigating, prosecuting, or preventing 

“an imminent threat of death, serious bodily harm, or 
serious economic harm, including a terrorist act or a 
use of a weapon of mass destruction,” or 



offenses relating to serious violent felonies, fraud and 
identity theft, espionage and censorship, and protection 
of trade secrets. [ Note: The bill cites provisions in title 
18 of the U.S. Code.] 

[Similar to PCNA]. 



[Similar to PCNA]. 



CRS - 40 



NCPAA 



PCNA 



CISA 



Stipulates that the indicators and defensive measures 
shall be deemed voluntarily shared. 

Requires implementation and utilization of security 
controls to protect against unauthorized access or 
acquisition. 

Exempts the information from disclosure under 
nonfederal disclosure laws or regulations. 

Prohibits use for regulation of lawful activities of 
nonfederal entities. 



‘(8) Liability Exemptions’ 

States that “no cause of action shall lie or be maintained 
in any court” against nonfederal. nongovernment 
entities for conducting network awareness under ‘(4)’ in 
accordance with the section or 



for sharing indicators or defensive measures under ‘(3),’ 
or a good-faith failure to act if sharing is done in 
accordance with the section. 



Stipulates that nothing in the section 



Stipulates that such shared indicators or defensive 
measures be deemed voluntarily shared and exempt 
from disclosure, and 

(I) requires implementation of appropriate security 
controls to protect against unauthorized access or 
acquisition. [Note: Also applies to nonfederal 
nongovernment entities.] 

Exempts the information from disclosure under 
nonfederal disclosure laws or regulations, except as 
required in criminal prosecutions. 



Sec. 106. Protection from Liability 

(a) Monitoring of Information Systems 

States that “no cause of action shall lie or be maintained 
in any court” against private entities for monitoring 
information systems under Sec. 103(a) conducted in 
accordance with the title or 

(b) Sharing or Receipt of Cyber Threat 
Indicators 

for information sharing under Sec. 103(c) in accordance 
with the title or a good-faith failure to act if sharing is 
done in accordance with the title. 



(c) Willful Misconduct 

(I) Stipulates that nothing in the section 



Stipulates that such shared indicators be deemed 
voluntarily shared and exempt from disclosure, and 

(I) Requires implementation and utilization of security 
controls to protect against unauthorized access or 
acquisition. [Note: Also applies to nonfederal 
nongovernment entities.] 

(4) Exempts the information from disclosure under 
nonfederal disclosure laws or regulations. 

Prohibits use to regulate lawful activities of an entity, 
including enforcement actions and activities relating to 
monitoring, defense, or sharing of indicators, except to 
inform development or implementation of authorized 
regulations relating to prevention or mitigation of 
threats to information systems. 

Sec. 6. Protection from Liability 

(a) Monitoring of Information Systems 

[Similar to PCNA, but refers to Sec. 4(a)] 

(b) Sharing or Receipt of Cyber Threat 
Indicators 

for information sharing under Sec. 4(c) in accordance 
with the title if sharing is done in accordance with the 
bill and, for sharing with the federal government after 
the earlier of submission of interim procedures under 
Sec. 5(a)(1) or 60 days after enactment, it uses the DHS 
process under Sec. 5(c)(1). 

(c) Construction 

Stipulates that nothing in the section 



CRS-41 



NCPAA 



PCNA 



CISA 



- requires dismissal of a cause of action against a 
nonfederal, nongovernment entity that engages in willful 
misconduct in the course of activities under the section . 

- undermines or limits availability of otherwise 
applicable common law or statutory defenses. 

Establishes the burden of proof as clear and convincing 
evidence from the plaintiff of injury-causing willful 
misconduct, 

Defines willful misconduct as an act or omission taken 
intentionally to achieve a wrongful purpose, knowingly 
without justification, and in disregard of risk of highly 
probable harm that outweighs any benefit. 

‘(9) Federal Government Liability for Violations 
of Restrictions on the Use and Protection of 
Voluntarily Shared Information’ 



Makes the federal government liable to injured persons 
for intentional or willful violation of restrictions on 
federal disclosure and use under ‘Sec. 226' . with 
minimum damages of $1,000 plus 

reasonable attorney fees as determined by the court 
and other reasonable litigation costs in any case under 

(a) where “the complainant has substantially prevailed.” 

Stipulates the federal district courts where the case may 
be brought as the one in which the complainant resides 
or the principal place of business is located, the District 
of Columbia, or 

where the federal department or agency that disclosed 
the information is located. 



requires dismissal of a cause of action against a 
nonfederal entity that engages in willful misconduct in 
the course of activities under the title , or 

[Identical to NCPAA] 

(2) [Similar to NCPAA] 



(3) [Similar to NCPAA], 



Sec. 1 05. Federal Government Liability for 
Violations of Privacy or Civil Liberties 

(a) In General 

Makes the federal government liable to injured persons 
for intentional or willful violation of privacy and civil 
liberties guidelines under Sec. I04fb] , with minimum 
damages of $ 1 ,000 plus 

[Identical to NCPAA] 

(b) Venue 

[Identical to NCPAA] 

where the federal department or agency that violated 
the guidelines is located. 

(c) Statute of Limitations 



- requires dismissal of a cause of action against an entity 
that engages in gross negligence or willful misconduct in 
the course of activities under the bill, or 

[Identical to NCPAA] 



CRS - 42 



NCPAA 



PCNA 



CISA 



Sets the statute of limitations under ‘fiV at two years 
from the date on which the cause of action arises. 



Sets action under ‘(i)’ as the exclusive remedy for 
violation of restrictions under ‘(i')(3').’ ‘fiH6f.’ or 
‘(i)(7)(B)’ . 

‘(10) Anti-Trust Exemption’ 

Exempts nonfederal entities from violation of antitrust 
laws for sharing indicators or defensive measures or 
providing assistance for cybersecurity purposes, 
provided that the action is taken to assist with 
preventing, investigating, or mitigating a cybersecurity 
risk or incident. 

‘(II) Construction and Preemption’ 

Stipulates that the section does not limit or prohibit 
otherwise lawful disclosures or participation in an 
investigation by a nonfederal entity of information to 
any other federal or nonfederal entity. 



Stipulates that the section does not prohibit or limit 
disclosures protected under 5 U.S.C. 2302(b)(8), 5 
U.S.C. 7211, 10 U.S.C. 1034, 50 U.S.C. 3234, or similar 
provisions of federal or state law. 



Stipulates that the section does not affect any 
requirements under other provisions of law for 
nonfederal entities providing information to federal 
entities. 



Sets the statute of limitations under Sec. 105 at two 
years from the date on which the cause of action arises. 

(d) Exclusive Cause of Action. 

Sets action under (d) as the exclusive remedy for 
federal violations under the title. 



Sec. 109(b) Otherwise Lawful Disclosures 

Stipulates that the title does not limit or prohibit 
otherwise lawful disclosures by a nonfederal entity of 
information to any other federal or nonfederal entity, 
or 

any otherwise lawful use by a federal entity, whether or 
not the disclosures duplicate those made under the 
title. 

(c) Whistle Blower Protections 

Stipulates that the title does not prohibit or limit 
disclosures protected under 5 U.S.C. 2302(b)(8), 5 
U.S.C. 7211, 10 U.S.C. 1034, or similar provisions of 
federal or state law. 

(e) Relationship to Other Laws 

Stipulates that the title does not affect any requirements 
under other provisions of law for nonfederal entities 
providing information to federal entities. 



Sec. 4(e) Antitrust Exemption 

Exempts any two or more private entities from 
violation of antitrust laws, except as provided in Sec. 
8(e) [p. 44] for exchanging or providing indicators or 
assistance for cybersecurity purposes to help prevent, 
investigate, or mitigate a cybersecurity risk or incident. 

Sec. 8(a) Otherwise Lawful Disclosures 

Stipulates that the Ml does not limit or prohibit 
otherwise lawful disclosures by an entity of information 
to any federal or other entity, or 

any otherwise lawful use by a federal entity, even when 
the disclosures duplicate those made under the bill. 

(b) Whistle Blower Protections 

Stipulates that the Ml does not prohibit or limit 
disclosures protected under 5 U.S.C. 2302(b)(8), 5 
U.S.C. 7211, 10 U.S.C. 1 034, 50 U.S.C. 3234 . or similar 
provisions of federal or state law. 

Stipulates that the Ml does not affect any requirements 
under other provisions of law for entities providing 
information to federal entities. 



CRS-43 



NCPAA 



PCNA 



CISA 



Stipulates that the section does not change contractual 
relationships between nonfederal entities or them and 
federal entities or abrogate trade-secret or intellectual 
property rights. 

Stipulates that the section does not permit the federal 
government to require nonfederal entities to provide it 
with information, or 

condition sharing of indicators or defensive measures 
on provision by such entities of indicators or defensive 
measures, or 

condition award of grants, contracts, or purchases on 
such provision. 

Stipulates that the section does not create liabilities for 
any nonfederal entities that choose not to engage in the 
voluntary activities authorized in the section . 

Stipulates that the section does not authorize or modify 
existing federal authority to retain and use information 
shared under the title for uses other than those 
permitted under the section . 

Stipulates that the section does not restrict or 
condition sharing for cybersecurity purposes among 
nonfederal entities or require sharing by them with the 
NCCIC. 



Stipulates that nothing in the bill “ shall be construed to 
permit price-fixing, allocating a market between 
competitors, monopolizing or attempting to monopolize 



(g) Preservation of Contractual Obligations and 
Rights 

Stipulates that the title does not change contractual 
relationships between nonfederal entities or them and 
federal entities, or abrogate trade-secret or intellectual 
property rights. 

(h) Anti-Tasking Restriction 

Stipulates that the title does not permit the federal 
government to require nonfederal entities to provide it 
with information, or 

condition sharing of indicators on provision of 
indicators, or 



condition award of grants, contracts, or purchases on 
such provision. 

(i) No Liability for Non-Participation 

Stipulates that the title does not create liabilities for any 
nonfederal entities that choose not to engage in a 
voluntary activity authorized in the title . 

(j) Use and Retention of Information 

Stipulates that the title does not authorize or modify 
existing federal authority to retain and use information 
shared under the title for uses other than those 
permitted under the title . 



(g) Preservation of Contractual Obligations and 
Rights 

Stipulates that the Ml does not change contractual 
relationships between entities or them and federal 
entities, or abrogate trade-secret or intellectual 
property rights. 

(h) Anti-Tasking Restriction 

Stipulates that the bill does not permit the federal 
government to require nonfederal entities to provide it 
with information, or 

[Similar to PCNA] 



[Identical to PCNA] 

(i) No Liability for Non-Participation 

Stipulates that the Ml does not create liabilities for any 
nonfederal entities that choose not to engage in the 
voluntary activities authorized in the Ml- 

(j) Use and Retention of Information 

Stipulates that the Ml does not authorize or modify 
existing federal authority to retain and use information 
shared under the title for uses other than those 
permitted under the Ml- 



(e) Prohibited Conduct 

Stipulates that nothing in the bill “ may be construed to 
permit price-fixing, allocating a market between 
competitors, monopolizing or attempting to monopolize 



CRS - 44 



NCPAA 



PCNA 



CISA 



a market, boycotting , or exchanges of price or cost 
information, customer lists, or information regarding 
future competitive planning.” 

Specifies that the section supersedes state and local 
laws relating to its provisions 



Requires the Secretary to develop policies and 
procedures for direct reporting by the NCCIC Director 
of significant risks and incidents. 

Requires the Secretary to build on existing mechanisms 
to promote public awareness about the importance of 
securing information systems. 

Requires a report from the Secretary within 180 days of 
enactment to HSC and HSGAC on efforts to bolster 
collaboration on cybersecurity with international 
partners. 

Requires the Secretary, within 60 days of enactment, to 
publicly disseminate information about ways of sharing 
information with the NCCIC, including enhanced 
outreach to Cl owners and operators. 



(k) Federal Preemption 

(l) Specifies that the title supersedes state and local 
laws relating to its provisions. 

(2) Stipulates that the title does not supersede state 
and local laws on use of authorized law enforcement 
practices and procedures. 

(3) Stipulates that, except with respect to exemption 
from disclosure under Sec. 103(b)(4), the title does not 
supersede state and local law on private entities 
performing utility services except to the extent that 
they restrict activities under the title. 



(d) Protection of Sources and Methods 

Stipulates that the title does not affect federal 
enforcement actions on classified information or 
conduct of authorized law-enforcement or intelligence 
activities, or modify the authority of the President or 



a market, boycotting, or exchanges of price or cost 
information, customer lists, or information regarding 
future competitive planning.” 

(k) Federal Preemption 

(l) Specifies that the Ml supersedes state and local laws 
relating to its provisions. 

[Similar to PCNA] 



(c) Protection of Sources and Methods 

Stipulates that the bill does not affect federal 
enforcement actions on classified information or 
conduct of authorized law-enforcement or intelligence 
activities, or modify the authority of federal entities to 



CRS-45 



NCPAA 



PCNA 



CISA 



protect classified information, sources and methods, and 
U.S. national security. 

(m) Authority of Secretary of Defense to 
Respond to Cyber Attacks 

Stipulates that the bill does not “limit the authority of 
the Secretary of Defense to develop, prepare, 
coordinate, or, when authorized by the President to do 
so, conduct a military cyber operation in response to a 
malicious cyber activity carried out against the United 
States or a United States person by a foreign 
government or an organization sponsored by a foreign 
government or a terrorist organization.” 

Sec. 204. Information Sharing and Analysis 
Organizations 

Amends Sec. 2 1 2 of the HSA to 

(1) broaden the functions of ISAOs to include 

cybersecurity risk and incident information beyond that 

relating to critical infrastructure, and 

(2) add by reference the definitions of cybersecurity risk 

and incident in 6 U.S.C. 148(a). 

Sec. 205. Streamlining of Department of 
Homeland Security Cybersecurity and 
Infrastructure Protection Organization 

(a) Cybersecurity and Infrastructure Protection 
Directorate 

Renames the DHS National Protection and Programs 

Directorate as the Cybersecurity and Infrastructure 
Protection. [S/c.] 

(b) Senior Leadership of the Cybersecurity and 
Infrastructure Protection Directorate 

Provides a specific title for the undersecretary in charge 

of critical infrastructure protection as U/S-CIP. Also 



federal entities to protect and control dissemination of 
classified information, intelligence sources and methods, 
and U.S. national security. 



CRS - 46 



NCPAA 



PCNA 



CISA 



adds two deputy undersecretaries, one for 
cybersecurity and the other for infrastructure 
protection. Does not require new appointments for 
current officeholders and specifies that appointment of 
the undersecretaries does not require Senate 
confirmation. 

(c) Report 

Requires a report to HSC and HSGAC from the U/S- 
CIP within 90 days of enactment on the feasibility of 
becoming an operational component of DHS, If that is 
determined to be the best option for mission fulfillment, 
requires submission of a legislative proposal and 
implementation plan. Also requires that the report 
include plans for more effective execution of the 
cybersecurity mission, including expediting of 
information sharing agreements. 

Sec. 206. Cyber Incident Response Plans 

(a) In General 

Amends Sec. 227 of the HSA to change “Plan” to 
“Plans” in the title, to specify the U/S-CIP as the 
responsible official, and to add a new subsection: 

‘(b) Updates to the Cyber Incident Annex to the 
National Response Framework’ 

Requires the Secretary, in coordination with other 
agency heads and in accordance with the National 
Cybersecurity Incident Response Plan, to update, 
maintain, and exercise regularly the Cyber Incident 
Annex to the DHS National Response Framework. 

(b) Clerical Amendment 

Amends the table of contents of the act to reflect the 
title change made by (a). 



CRS-47 



NCPAA 



PCNA 



CISA 



Sec. 207. Security and Resiliency of Public Safety 
Communications; Cybersecurity Awareness 
Campaign 

(a) In General 

Adds two new sections to the HSA: 

‘Sec. 230. Security and Resiliency of Public Safety 
Communications’ 

Requires the NCCIC to coordinate with the DHS 
Office of Emergency Communications to assess 
information on cybersecurity incidents involving public 
safety communications to facilitate continuous 
improvement in those communications. 

‘Sec. 23 I. Cybersecurity Awareness Campaign’ 

‘(a) In General’ 

Requires the U/S-CIP to develop and implement an 
awareness campaign on risks and best practices for 
mitigation and response, including at a minimum public 
service announcements and information on best 
practices that are vendor- and technology-neutral. 

‘(b) Consultation’ 

Requires consultation with a wide range of 
stakeholders. 

‘Sec. 232. National Cybersecurity Preparedness 
Consortium’ 

‘(a) In General’ 

Authorizes the Secretary to establish the National 
Cybersecurity Preparedness Consortium to 

‘(b) Functions’ 

- provide cybersecurity training to state and local first 
responders and officials, 

- establish a training curriculum for them using the DHS 



CRS - 48 



NCPAA 



PCNA 



CISA 



Community Cyber Security Maturity Model, 

- provide technical assistance for improving capabilities, 

- conduct training and simulation exercises, 

- coordinate with the NCCIC to help states and 
communities develop information sharing programs, and 

- coordinate with the National Domestic Preparedness 
Consortium to incorporate cybersecurity into 
emergency management functions. 

‘(c) Members’ 

Stipulates that members be academic, nonprofit, and 
government partners with prior experience conducting 
cybersecurity training and exercises in support of 
homeland security. 

(b) Clerical Amendment 

Amends the table of contents of the act to include the 
new sections. 

Sec. 208. Critical Infrastructure Protection 
Research and Development 

(a) Strategic Plan; Public-Private Consortiums 

Adds a new section to the HSA: 

‘Sec. 3 1 8. Research and Development Strategy 
for Critical Infrastructure Protection’ 

‘(a) In General’ 

Requires the Secretary to submit to Congress within 
180 days of enactment, and biennially thereafter, a 
strategic plan to guide federal R&D in technology 
relating to both cyber- and physical security for Cl. 

‘(b) Contents of Plan’ 

Requires the plan to include 

- Cl risks and technology gaps identified in consultation 
with stakeholders and a resulting risk and gap analysis, 

- prioritized needs based on that analysis, emphasizing 



CRS - 49 



NCPAA 



PCNA 



CISA 



technologies to address rapidly evolving threats and 
technology and including clearly defined roadmaps, 

- facilities and capabilities required to meet those needs, 

- current and planned programmatic initiatives to foster 
technology advancement and deployment, including 
collaborative opportunities, and 

- progress on meeting plan requirements. 

‘(c) Coordination’ 

Requires coordination between the DHS Under 

Secretaries for Science and Technology and for the 
National Protection and Programs Directorate. [Note: 

Sec. 205 renames the latter position as the U/S-CIP.] 

‘(d) Consultation’ 

Requires the Under Secretary for Science and 

Technology to consult with Cl Sector Coordinating 
Councils, heads of other relevant federal agencies, and 
state, local, and tribal governments as appropriate. 

(b) Clerical Amendment 

Amends the table of contents of the act to include the 

new section. 

Sec. 209. Report on Reducing Cybersecurity 
Risks in DHS Data Centers 

Requires a report to HSC and HSGAC within one year 

of enactment on the feasibility of creating an 
environment within DHS for reduction in cybersecurity 
risks in data centers, including but not limited to 
increased compartmentalization of systems with a mix 
of security controls among compartments. 

Sec. 9. Report on Cybersecurity Threats 
(a) Report Required 

Requires the DNI, in coordination with heads of other 
appropriate elements of the 1C, to submit within 1 80 
days of enactment a report to the House and Senate 



Sec. 108. Report on Cybersecurity Threats 
(a) Report Required 

Requires the DNI, in consultation with heads of other 
appropriate elements of the 1C, to submit within 180 
days of enactment a report to the House and Senate 



CRS - 50 



NCPAA 



PCNA 



CISA 



Intelligence Committees on cybersecurity threats to the 
U.S. national security and economy , including attacks, 
theft, and data breaches. 

(b) Contents 

Requires that the report include 

(1) assessments of current U.S. intelligence sharing and 
cooperation relationships with other countries on such 
threats directed against the United States and 
threatening U.S. national security interests, the 
economy, and intellectual property, identifying the utility 
of relationships, participation by elements of the 1C, and 
possible improvements, 

(2) a list and assessment of countries and nonstate 
actors constituting the primary sources of such threats, 

(3) description of how much U.S. capabilities to 
respond to or prevent such threats to the U.S. private 
sector are degraded by delays in notification of the 
threats, 

(4) assessment of additional technologies or capabilities 
that would enhance the U.S. ability to prevent and 
respond to such threats, and 

(5) assessment of private-sector technologies or 
practices that could be rapidly fielded to assist the 1C in 
preventing and responding to such threats. 

(c) Form of Report 

Requires that the report be unclassified, but may include 
a classified annex . 

(d) Public Availability of Report 

Requires that the unclassified portion of the report be 
publicly available. 

(e) Intelligence Community Defined 



Intelligence Committees on cybersecurity threats, 
including attacks, theft, and data breaches. 



Requires that the report include 

(1) assessments of current U.S. intelligence sharing and 
cooperation relationships with other countries on such 
threats directed against the United States and 
threatening U.S. national security interests, the 
economy, and intellectual property, specifically 
identifying the utility of relationships, participation by 
elements of the 1C, and possible improvements, 

(2) [Similar to PCNA], 

(3) [Similar to PCNA], 



(4) [Similar to PCNA], 



(5) [Identical to PCNA], 



Requires that the report be made available in 
unclassified and classified forms. 



(d) Intelligence Community Defined 



CRS-51 



NCPAA 



PCNA 



CISA 



Defines intelligence community as in 50 U.S.C. 3003. [Identical to PCNA]. 



Sec. 2 1 0. Assessment 

Requires the Comptroller General, within two years of 

enactment, to submit a report to HSC and HSGAC 
assessing implementation of the title and, as practicable, 
findings on increased sharing at NCCIC and throughout 
the United States. 

Sec. 211. Consultation 

Requires a report from the U/S-CIP on the feasibility of 

a prioritization plan in the event of simultaneous multi- 
Cl incidents. 

Sec. 212. Technical Assistance 

Requires the DHS IG to review US-CERT and ICS- 

CERT operations to assess their capacity for responding 
to current and potentially increasing requests for 
technical assistance from nonfederal entities. 

Sec. 213. Prohibition on New Regulatory Sec. 109(1) Regulatory Authority Sec. 8(1) Regulatory Authority 



Sec. 214 Sunset 

Ends all requirements for reports in the title seven 
years after enactment. 

Sec. 215. Prohibition on New Funding 

Stipulates that the title does not authorize additional 
funds for implementation and must be carried out using 
available amounts. 

Sec. 216. Protection of Federal Information 



Authority 



Stipulates that the title does not grant DHS new 
authority to promulgate regulations or set standards 
relating to cybersecurity for nonfederal, 
nongovernmental entities. 



Stipulates that the title does not authorize 

(1) promulgation of regulations or 

(2) establishment of regulatory authority not specified 
by the title, or 

(3) duplicative or conflicting regulatory actions. 



Stipulates that the bill does not authorize 

(1) promulgation of regulations or 

(2) establishment or limitation of regulatory authority 
not specified by the bill, or 

(3) duplicative or conflicting regulatory actions. 



CRS - 52 



NCPAA 



Systems 
(a) In General 

Adds a new section to the HSA. 



PCNA 



CISA 



‘Sec. 233. Available Protection of Federal 
Information Systems’ 

‘(a) In General’ 

Requires the Secretary to make available to agencies 

capabilities, including technologies for continuous 
diagnostics and mitigation, for protecting federal 
information systems and their contents from risks. 

‘(b) Activities’ 

Authorizes the Secretary to 

- access information on a system regardless of location, 

and permits agency heads to disclose such information 

to the Secretary or a private entity assisting the 
Secretary, notwithstanding any other provision of law 
that would otherwise restrict such disclosure, 

- obtain assistance through agreements or otherwise 

from private entities for implementing technologies 

under ‘(a),’ 

- use, retain, and disclose information obtained under 

this section only to protect federal systems and their 

contents or, 

with approval of the AG, to respond to [Note: Sec. 104(d)(5) has related provisions for [Note: Sec. 5(d)(5) has related provisions for 

violations of 18 U.S.C. 1030 [on computer fraud and information shared with the federal government (see p. information shared with the federal government (see p. 

related activities], 38).] 38).] 

threats of death or serious bodily harm, 

serious threats to minors, including sexual exploitation 

and threats to physical safety, or 

attempts or conspiracy to commit such offenses. 

‘(c) Conditions’ 



CRS - 53 



NCPAA 



PCNA 



CISA 



Requires that the agreements bar disclosure of 
identifying information reasonably believed to be 
unrelated to a cybersecurity risk except to DHS or the 
disclosing agency, or use of information accessed under 
the section by a private entity for any purpose other 
than protecting federal information systems and their 
contents or administration of the agreement. 

‘(d) Limitation’ 

States that no cause of action shall lie against a private 
entity for assistance provided in accordance with this 
section and an agreement under ‘(b).’ 

(b) Clerical Amendment 

Amends the table of contents of the act to include the 
new section. 

Sec. 217. Sunset 

Terminates the provisions in the title seven years after 
enactment. 

Sec. 218. Report on Cybersecurity 
Vulnerabilities of United States Ports 

Requires a report with recommendations from the 
Secretary to HSC, HSGAC, House Committee on 
Transportation and Infrastructure, and Senate 
Committee on Commerce, Science, and Transportation 
within 180 days of enactment on cybersecurity 
vulnerabilities for the ten ports that the Secretary 
determines are at greatest risk of an incident. 

Sec. 219. Report on Cybersecurity and Critical 
Infrastructure 

Authorizes the Secretary to consult with sector-specific 
entities on a report to HSC and HSGAC on federally 
funded cybersecurity R&D with private-sector efforts to 
protect privacy and civil liberties while protecting Cl, 
including promoting R&D for secure and resilient design 



Sec. I 1 2. Sunset 

[Identical to NCPAA] 



CRS - 54 



NCPAA 


PCNA 


CISA 


and construction, enhanced modeling of impacts from 
incidents or threats, and facilitating incentivization of 
investments to strengthen cybersecurity and resilience 
of Cl. 






Sec. 220. GAO Report on Impact Privacy and 
Civil Liberties 


Sec. III. Comptroller General Report on 
Removal of Personal Identifying Information 






(a) Report 




Requires a report from the Comptroller General to 
HSC and HSGAC within five years of enactment 
assessing the impacts of NCCIC activities on privacy 
and civil liberties. 


Requires a report from the Comptroller General to 
Congress within three years of enactment on federal 
actions to remove personal information from threat 
indicators pursuant to Sec. 104(b). 






(b) Form 






Requires that the report be unclassified but permits a 
classified annex. 


Sec. 10. Conforming Amendments 
(a) Public Information 






Amends 5 U.S.C. 552(b) [on public information] to 
specify protection from federal disclosure of 
information provided under the bill. 






(b) Modification of Limitation on Dissemination 
of Certain Information Concerning Penetrations 
of Defense Contractor Networks 






Amends Sec. 941(c)(3) of the FY20I3 National Defense 
Authorization Act (10 U.S.C. 2224 note) to permit 
sharing by the Secretary of Defense of threat indicators 
and defensive measures consistent with the procedures 
promulgated by the AG under Sec. 5 of the bill. 



Source: CRS. 



Notes: See “Notes on the Table.” 



CRS - 55 



Cybersecurity and Information Sharing: Comparison of Legislative Proposals 



Author Contact Information 



Eric A. Fischer 

Senior Specialist in Science and Technology 
efischer@crs.loc.gov, 7-7071 



Stephanie M. Logan 
Research Assistant 
slogan@crs.loc.gov, 7-0504 



Congressional Research Service 



56 



